Responsible Disclosure Policy

Last updated 16/08/2025

The security and privacy of the data of our clients and users (“User Data”) is important to Adnuntius (“We”). We take our responsibility to protect this user data seriously and use technical, administrative, and physical controls in order to safeguard it.

We want to hear from security researchers (“You” or “Your”) who have information related to suspected security vulnerabilities (“Vulnerability” or “Vulnerabilities”) of any Adnuntius services handling user data. Please report any such vulnerabilities to us in accordance with these Vulnerability Disclosure Terms (“Terms”).

Services in scope:

  • adnuntius.com

  • Any subdomains of adnuntius.com, for example docs.adnuntius.com

If you submit a vulnerability in accordance with all of the Terms, Adnuntius will work with you to understand, validate, and address the vulnerability. We may, at our discretion, provide a monetary reward for any issue we deem serious, in which case you are responsible for any tax implications of such a payment depending on your country of residency and citizenship.

Thank you for your help in making Adnuntius more secure.

Reporting a Vulnerability

Please submit your vulnerability to Adnuntius by completing the form at the end of these terms, and submitting both the completed form and vulnerability to security@adnuntius.com (“Report”). By submitting your report to Adnuntius you agree to all of the following:

  • You agree not to publicly disclose the vulnerability until Adnuntius agrees to a public disclosure. We have the ability to fix issues immediately on receiving a report, and will disclose after ensuring all customer data is safe, but you must allow us up to 90 days to do so.

  • You agree to keep all communication with Adnuntius confidential

  • You represent that you did not copy the report or any part of it from another third party

  • You allow Adnuntius and its affiliates the ability to use, distribute, and/or disclose information provided in your report for security remediation and related purposes

Your Responsibilities

We ask that you do all of the following in conducting your research:

  • Comply with all applicable laws

  • Only interact with your own accounts or test accounts, not with other users

  • Contact us immediately if you encounter user data. Do not access or save the data, and immediately purge it after reporting the vulnerability to Adnuntius

We expressly prohibit any of the following conduct:

  • Publicly disclosing a vulnerability without our consent

  • Accessing or modifying our data or our users’ data

  • Degrading our services via Denial of Service attacks, including spamming forms

  • Attacks on third party services

The following issues are outside the scope of our vulnerability disclosure program:

  • Attacks which in our judgement could not be exploited to obtain user data

  • Attacks which cannot be used to affect another Adnuntius user, such as Self-XSS

  • Attacks requiring physical access to a user’s device

  • Any access to data where the targeted user needs to be operating a rooted mobile device

  • Any physical attempts against Adnuntius property or data centers

  • Social engineering of Adnuntius employees or contractors

  • SPF/DMARC records

  • Password, email and account policies, such as email id verification, reset link expiration, password complexity

  • Absence of rate limiting, unless related to authentication

  • Any report that discusses how you can learn whether a given username, email address has an Adnuntius account

  • Hyperlink injection or any link injection in emails we send

  • Lack of CSRF tokens unless you can show how this is exploitable to obtain our user data

  • Attacks, such as clickjacking, which require the attacker to overlay on top of an Adnuntius webpage

  • Vulnerabilities affecting users of outdated browsers or platforms

  • Open ports on servers operated by Adnuntius, unless that port exposes a service containing user data

  • Denial of service attacks

If you make a good faith effort to comply with this policy when conducting vulnerability research and reporting, we will consider such research authorized, we will not initiate legal action against you, and we will work with you to understand and resolve the issue. Activities outside the scope of this policy, or that intentionally cause harm to Adnuntius or its users, are not authorized.

These Terms and any dispute arising out of or relating to them shall be governed by and construed in accordance with the laws of Norway. You agree to submit to the exclusive jurisdiction of the courts located in Norway to resolve any legal matter arising from these Terms.

To the maximum extent permitted by law:

  • Adnuntius is not responsible for any damages, losses, or liabilities you may incur through your security research.

  • No warranties or commitments are provided regarding acknowledgment, remediation, or rewards for reports submitted under this policy.

  • Any reward offered is discretionary and does not create any contractual right to payment.

Adnuntius Vulnerability Submission Form

Contact Information

Name: __________________________

Email: __________________________

Organization (if any): __________________________

Vulnerability Details Affected service or domain: __________________________

Vulnerability type (e.g., XSS, SQL injection, misconfiguration): __________________________

Detailed description:

Impact (What an attacker could achieve by exploiting this vulnerability):

Suggested Remediation (optional):

Researcher Declaration

☐ I confirm that this report is submitted in accordance with the Adnuntius Responsible Disclosure Policy and that I have not intentionally accessed or retained any personal data of Adnuntius users.

Signature (typed name): __________________________

Date: ___ / ___ / _____