Security
Responsible Disclosure Policy
Effective Date: May 26, 2026 · Last Updated: May 26, 2026
At Amity Cyber Resolved, we take the security of our systems and our clients' trust seriously. We welcome and appreciate the efforts of security researchers who help us identify vulnerabilities in our own infrastructure. This policy provides guidelines for conducting security research and reporting vulnerabilities to us.
🛡️ Our Commitment
If you discover a vulnerability in our systems and report it responsibly, we will work with you in good faith. We will not pursue legal action against researchers who follow this policy, and we will acknowledge your contribution.
1. Scope
✅ In Scope
- amitycyberesolved.com (main website)
- API endpoints (*.amitycyberesolved.com/api/*)
- Admin panel authentication
- Contact form processing
- Blog system
- Session management
🚫 Out of Scope
- Third-party services (Render, Squarespace, Google Workspace)
- Social engineering or phishing attacks
- Denial of Service (DoS/DDoS) attacks
- Physical security testing
- Attacks against other users or clients
- Spam or social media account takeover
2. Guidelines
We ask that security researchers adhere to the following guidelines:
- Do not access, modify, or delete data belonging to other users
- Do not perform actions that could degrade, disrupt, or damage our services or infrastructure
- Do not exploit a vulnerability beyond the minimum necessary to demonstrate its existence
- Stop testing and report immediately if you encounter any user data
- Do not use automated scanning tools at high volume — keep requests reasonable
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it
- Provide sufficient detail in your report for us to reproduce and verify the issue
3. How to Report
Please send vulnerability reports to:
Email: security@amitycyberesolved.com
Please include the following in your report:
- Description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Proof of concept (screenshots, HTTP requests/responses, video)
- Affected URL(s) or endpoint(s)
- Your assessment of severity (Critical/High/Medium/Low)
- Any suggested remediation
- Your name or handle (for acknowledgment, if desired)
4. Severity Guidelines
| Severity | Description | Examples |
| Critical | Full system compromise or mass data exposure | RCE, SQL injection, auth bypass to admin, mass PII exposure |
| High | Significant data access or privilege escalation | IDOR exposing user data, stored XSS on admin panel, credential leakage |
| Medium | Limited impact requiring user interaction | Reflected XSS, CSRF on non-critical functions, information disclosure |
| Low | Minimal security impact | Missing security headers, verbose errors, clickjacking on non-sensitive pages |
5. What We Will Not Accept
The following are generally considered out of scope and will not qualify:
- Reports from automated scanners without verified proof of exploitability
- Missing HTTP security headers without demonstrated impact
- SSL/TLS configuration issues on third-party hosted services
- Rate limiting issues on non-authentication endpoints
- Clickjacking on pages with no sensitive actions
- Self-XSS (XSS that only affects the user performing the action)
- CSRF on unauthenticated forms (e.g., the contact form)
- Email spoofing / SPF / DKIM / DMARC configuration
- Content injection without demonstrated security impact
6. Our Response
When you submit a report, here is what you can expect:
- Acknowledgment: We will confirm receipt of your report within 48 hours
- Assessment: We will evaluate the report and provide an initial severity assessment within 5 business days
- Remediation: We will work to remediate verified vulnerabilities as quickly as possible, prioritized by severity
- Communication: We will keep you informed about the status of your report
- Recognition: With your permission, we will acknowledge your contribution on our website or in our communications
7. Safe Harbor
We consider security research conducted in accordance with this policy to be authorized and will not initiate legal action against researchers who comply with these guidelines. If a third party initiates legal action against you for research conducted under this policy, we will make it known that your actions were authorized.
This safe harbor applies only to legal claims under our control and does not bind independent third parties.
8. Rewards
While we do not currently operate a formal paid bug bounty program, we deeply value the work of security researchers. We offer public acknowledgment (with your consent) for valid reports. As we grow, we plan to formalize a bounty program with monetary rewards for qualifying vulnerabilities.
📬 Report a Vulnerability
Found something? Send details to security@amitycyberesolved.com. We appreciate your help in keeping our systems and clients safe.
9. Contact
Amity Cyber Resolved LLC
Security Reports: security@amitycyberesolved.com
General Inquiries: hello@amitycyberesolved.com
Website: amitycyberesolved.com