CoLoop Responsible Disclosure Policy
Effective Date: 1st March 2025
Last Update: 19th May 2025
At CoLoop, we value the contributions of the security research community to help maintain the security and integrity of our systems, applications, and data. This policy outlines how security researchers can responsibly disclose vulnerabilities to us and what they can expect in return.
Scope
This policy and its terms apply to:
Any vulnerabilities in systems, applications, or services directly operated by CoLoop.
Subdomains, APIs, or infrastructure managed by CoLoop.
These do not cover vulnerabilities in third-party systems, services, or software used by CoLoop but not under our direct control. Researchers should report such findings to the respective vendors and we will help facilitate this where possible. Where such service is operated by CoLoop, CoLoop will retain the right to request any research activity to stop.
Any non-passive research actions actively and directly performed on CoLoop systems are explicitly out of scope and forbidden unless prior consent was explicitly provided in written form and the scope specified. This policy does not constitute a prior consent and cannot be claimed as such.
Exclusions
The following activities are explicitly prohibited under this policy:
Performing any invasive, non-passive action on production and live systems without prior consent.
Leaving artifacts on CoLoop systems, such as posts, comments, and data without prior consent.
Using this policy to offer or sell services under the guise of ethical security research.
Exploitation of vulnerabilities for personal gain.
Repeated testing or exploitation after reporting.
Disclosure of vulnerabilities to third parties without CoLoop's prior consent.
Demanding compensation or payment after the disclosure has been deemed out of scope.
Any other activities that could be deemed harmful for the reputation of the company or the experience of its users.
Guidelines for Responsible Disclosure
To ensure your findings are handled responsibly and without legal repercussions, CoLoop asks researchers to please:
Act in Good Faith:
Avoid violating the privacy of users, accessing non-public data, or disrupting services.
Use only the minimum required testing methods to demonstrate the vulnerability.
Keep CoLoop and End-users in mind:
Do not perform actions that could impact user's perception of CoLoop's systems.
Do not negatively impact the systems which you are testing.
Do not leave artifacts such as posts and comments that can be observed.
Scope of Testing:
Test only systems explicitly covered under this policy.
Do not test on production systems without prior consent.
Do not leave artifacts present on the system, e.g. comments, posts, meetings, etc.
Do not perform social engineering, phishing, physical security testing, or denial-of-service attacks.
Do not conduct tests that could break or stop our systems without prior consent.
Do not report vulnerabilities that cannot be exploited or have no risk attached to them.
Report Findings Promptly:
Include a detailed description of the vulnerability, including the affected system, potential impact, and steps to reproduce.
Provide proof of concept where applicable.
Avoid Disclosure Until Resolved:
Do not publicly disclose the vulnerability until we have resolved it and granted permission.
Reporting Process
Submit Your Report: Email your findings to security@coloop.ai with the subject line: "Responsible Disclosure: [Vulnerability Name]".
Include Necessary Details:
Your name and contact information.
Description of the vulnerability and its impact.
Your assessment of how it can be exploited - please do not report those with no exploit.
Steps to reproduce the vulnerability or proof of concept.
Any additional supporting materials (e.g., screenshots, logs).
Acknowledgment of Receipt:
CoLoop will acknowledge your report as soon as possible.
Evaluation Timeline:
CoLoop aims to validate and respond with its assessment and next steps within 15 business days from acknowledgement.
Accepting the Disclosure:
It is at CoLoop's discretion if the disclosure is to be accepted.
It is at CoLoop's discretion to determine the recognition level warranted.
It is at CoLoop's discretion to decide if anything apart form Hall of Fame is applicable.
It is at CoLoop's discretion to refuse low-effort disclosures or those without any significance.
Our Commitment to Researchers
If you follow the guidelines of this policy, we commit to:
No Legal Action: We will not initiate legal action against researchers acting in good faith and in compliance with this policy. In case we suspect that a researcher is not acting in good faith, we leave it at our discretion to take legal action and determine if we should first reach out to discuss.
Recognition: With your consent, we will send you a gift of appreciation and/or acknowledge your contribution on our Hall of Fame or similar platform at our discretion.
Transparency: We will provide regular updates on the status of the vulnerability you reported.
Hall of Fame
Researchers who responsibly disclose vulnerabilities and help improve our security will, with their consent, be listed on our Security Hall of Fame page as a token of appreciation.
Questions
If you have any questions about this policy, contact us at security@coloop.ai.
Thank you for helping us maintain the security and integrity of CoLoop's systems and services.