Home

Responsible Disclosure Policy

Last updated: 16 July 2026

Security researchers make the whole internet safer, and we're grateful for anyone who takes the time to help us improve. This policy explains how to report a vulnerability in Compliance One, what you can expect from us, and the simple rules that keep everyone on the right side of the line.

How to report

Email us at security@complianceonecloud.com with the details. A good report includes: what you found, where (the URL, endpoint, or feature), clear steps to reproduce it, and its potential impact. If you're not sure whether something is a real issue, tell us anyway — we'd rather take a look than miss it.

What you can expect from us

  • We'll acknowledge your report promptly and let you know we're on it.
  • We'll investigate, keep you updated on our progress, and work to fix confirmed issues as quickly as their severity warrants.
  • We'll be honest with you about what we found and what we did about it.

Safe harbour

If you make a good-faith effort to follow this policy, we consider your research authorised, and we won't pursue or support legal action against you for it. If a third party brings action against you for activity that followed this policy, we'll make it known that you were acting within our guidelines.

The rules of engagement

To keep your research in scope and safe, please:

  • Only test against your own account and data — never access, modify, or delete another user's or organisation's data.
  • Don't run attacks that degrade the service for others (no denial-of-service, no automated high-volume scanning that overloads us).
  • Don't use social engineering, phishing, or physical attacks against our people or offices.
  • Give us a reasonable chance to fix an issue before disclosing it publicly, and never publish customer data.
  • Stop and check with us if you're ever unsure whether an action is allowed.

No bug bounty — but genuine recognition

To be upfront: we don't currently run a paid bug bounty programme, and we don't offer monetary rewards for reports. What we do offer is real, public credit. With your permission, we'll add your name to our Security Hall of Fame to thank you for making Compliance One safer. If you'd rather stay anonymous, that's completely fine too.

Security Hall of Fame

This is where we recognise the researchers who've responsibly disclosed issues and helped protect our customers. The list is just getting started — report something valid and, with your consent, you could be the first name on it. Thank you in advance.

Out of scope

A few things generally aren't useful to report (though use judgement — if you've found a real way to exploit one, tell us):

  • Reports from automated scanners without a demonstrated, real-world impact.
  • Missing best-practice headers or configuration with no concrete exploit.
  • Issues in third-party services we don't control (report those to the third party).
  • Anything requiring an already-compromised device or unlikely user interaction.

Questions

Not sure about something before you start? Email security@complianceonecloud.com and ask.