Vulnerability Disclosure Policy

We welcome good-faith security reports that help protect our users. This page explains what is in scope, how to report, what to expect from us, and the rules for testing. We do not operate a bug bounty, and we do not pay for unsolicited reports.

Last updated: 26 August 2025

Scope

• Public websites and web applications owned and operated by [Your Company Name].

• Only targets that can be accessed without using credentials that belong to someone else and without causing disruption.

Out of Scope

• Third-party services such as hosting providers, payment processors, email services, analytics, and content delivery networks.

• Denial of service attacks, high-volume automated scanning, resource exhaustion, or any action that degrades service.

• Reports without a working proof of concept or those consisting only of automated scanner output.

• Best practice findings without clear exploitability (for example, missing security headers on non-sensitive pages, version banners, clickjacking on pages with no sensitive action, SPF or DMARC alignment advice).

• Social engineering, phishing, physical security, and non-technical fraud.

Rules of Engagement

• Respect privacy. Do not access, modify, or copy data that does not belong to you.

• Do not disrupt services or degrade performance.

• Act in good faith and within the boundaries of this policy.

How to Report

Send an email to security@clickalgo.com with:

• A clear description of the issue.

• The exact affected URL or system.

• Step-by-step instructions to reproduce the vulnerability.

• A minimal proof of concept that demonstrates the impact.

What to Expect

• We will acknowledge valid reports sent to security@yourdomain.com.

• Out-of-scope reports and generic scanner results will not receive a reply.

• We do not pay for reports or run a bug bounty.