Vulnerability Disclosure Policy

Introduction

TrackIT is committed to maintaining the security of our platform and protecting our users' data. We value the security research community and recognize the important role that ethical security researchers play in Internet security.

If you believe you have discovered a security vulnerability in TrackIT, we encourage you to report it to us in a responsible manner. We will work with security researchers to verify and address reported vulnerabilities.

Security Scope

We are interested in receiving reports about security vulnerabilities in the following areas:

In Scope

TrackIT web application (https://monitoring.ly)
TrackIT API (https://api.monitoring.ly)
Authentication and authorization mechanisms
Data exposure or data leakage issues
Server-side security vulnerabilities
Cross-site scripting (XSS)
SQL injection vulnerabilities
Remote code execution (RCE)
Authentication bypass
Authorization flaws
Critical business logic flaws

Out of Scope

Physical attacks against our infrastructure
Social engineering attacks (phishing, etc.)
Denial of service (DoS/DDoS) attacks
Attacks requiring physical access to a user's device
Clickjacking on pages without sensitive actions
Issues that require a jailbroken or rooted mobile device
Email spoofing or SPF/DKIM/DMARC issues
Reports from automated scanners without proof of concept
Self-XSS or XSS that only affects the user who initiates it
Missing security headers that don't directly lead to a vulnerability
Content spoofing/text injection without a demonstrated attack vector
Missing or misconfigured CORS headers
Weak SSL/TLS configurations without proof of exploitation
Issues related to third-party applications or services

How to Report

To report a security vulnerability, please follow these steps:

Email Security Team

Send an email to security@monitoring.ly with the following information:

Type of vulnerability
Location of the affected component (URL, endpoint, etc.)
Step-by-step instructions to reproduce the issue
Potential impact of the vulnerability
Proof of concept (if applicable)
Suggested fix or mitigation (if available)

Encryption (Optional but Preferred)

For sensitive reports, we encourage you to encrypt your email using PGP. If you have PGP encryption, please encrypt your message before sending.

Response Time

We aim to acknowledge receipt of your report within 48 hours and provide an initial assessment within 7 business days. We will keep you informed about our progress throughout the remediation process.

Safe Harbor

We commit to the following: If you act in good faith and follow this disclosure policy, we will not pursue legal action against you for security research activities related to your report. We will work with you to understand and resolve the issue quickly.

Activities that are NOT covered under safe harbor:

Accessing or modifying user data without explicit permission
Performing any actions that could harm our users or our services
Violating any applicable laws or regulations
Disclosing the vulnerability publicly before we have addressed it

Remediation Timeline

We are committed to addressing security vulnerabilities in a timely manner:

Critical vulnerabilities: Initial response within 24 hours, remediation within 7 days
High severity: Initial response within 48 hours, remediation within 30 days
Medium severity: Initial response within 5 business days, remediation within 90 days
Low severity: Initial response within 10 business days, remediation as resources allow

Recognition

With your permission, we would like to recognize your contribution to our security program by adding you to our Security Acknowledgments page.

We will only include your name/handle if you explicitly agree to be publicly recognized. You can choose to remain anonymous if you prefer.