Security researchers make the whole internet safer, and we're grateful for anyone who takes the time to help us improve. This policy explains how to report a vulnerability in Compliance One, what you can expect from us, and the simple rules that keep everyone on the right side of the line.
Email us at security@complianceonecloud.com with the details. A good report includes: what you found, where (the URL, endpoint, or feature), clear steps to reproduce it, and its potential impact. If you're not sure whether something is a real issue, tell us anyway — we'd rather take a look than miss it.
If you make a good-faith effort to follow this policy, we consider your research authorised, and we won't pursue or support legal action against you for it. If a third party brings action against you for activity that followed this policy, we'll make it known that you were acting within our guidelines.
To keep your research in scope and safe, please:
To be upfront: we don't currently run a paid bug bounty programme, and we don't offer monetary rewards for reports. What we do offer is real, public credit. With your permission, we'll add your name to our Security Hall of Fame to thank you for making Compliance One safer. If you'd rather stay anonymous, that's completely fine too.
This is where we recognise the researchers who've responsibly disclosed issues and helped protect our customers. The list is just getting started — report something valid and, with your consent, you could be the first name on it. Thank you in advance.
A few things generally aren't useful to report (though use judgement — if you've found a real way to exploit one, tell us):
Not sure about something before you start? Email security@complianceonecloud.com and ask.