CoLoop Logo CoLoop
NEW CoLoop Chat 2.0 is here · Discover what's new
Back

CoLoop Responsible Disclosure Policy

Effective Date: 1st March 2025

Last Update: 19th May 2025

At CoLoop, we value the contributions of the security research community to help maintain the security and integrity of our systems, applications, and data. This policy outlines how security researchers can responsibly disclose vulnerabilities to us and what they can expect in return.

Scope

This policy and its terms apply to:

  • Any vulnerabilities in systems, applications, or services directly operated by CoLoop.
  • Subdomains, APIs, or infrastructure managed by CoLoop.

These do not cover vulnerabilities in third-party systems, services, or software used by CoLoop but not under our direct control. Researchers should report such findings to the respective vendors and we will help facilitate this where possible. Where such service is operated by CoLoop, CoLoop will retain the right to request any research activity to stop.

Any non-passive research actions actively and directly performed on CoLoop systems are explicitly out of scope and forbidden unless prior consent was explicitly provided in written form and the scope specified. This policy does not constitute a prior consent and cannot be claimed as such.

Exclusions

The following activities are explicitly prohibited under this policy:

  • Performing any invasive, non-passive action on production and live systems without prior consent.
  • Leaving artifacts on CoLoop systems, such as posts, comments, and data without prior consent.
  • Using this policy to offer or sell services under the guise of ethical security research.
  • Exploitation of vulnerabilities for personal gain.
  • Repeated testing or exploitation after reporting.
  • Disclosure of vulnerabilities to third parties without CoLoop's prior consent.
  • Demanding compensation or payment after the disclosure has been deemed out of scope.
  • Any other activities that could be deemed harmful for the reputation of the company or the experience of its users.

Guidelines for Responsible Disclosure

To ensure your findings are handled responsibly and without legal repercussions, CoLoop asks researchers to please:

  1. Act in Good Faith:
  1. Keep CoLoop and End-users in mind:
  1. Scope of Testing:
  1. Report Findings Promptly:
  1. Avoid Disclosure Until Resolved:

Reporting Process

  1. Submit Your Report: Email your findings to security@coloop.ai with the subject line: "Responsible Disclosure: [Vulnerability Name]".
  1. Include Necessary Details:
  1. Acknowledgment of Receipt:
  1. Evaluation Timeline:
  1. Accepting the Disclosure:

Our Commitment to Researchers

If you follow the guidelines of this policy, we commit to:

  • No Legal Action: We will not initiate legal action against researchers acting in good faith and in compliance with this policy. In case we suspect that a researcher is not acting in good faith, we leave it at our discretion to take legal action and determine if we should first reach out to discuss.
  • Recognition: With your consent, we will send you a gift of appreciation and/or acknowledge your contribution on our Hall of Fame or similar platform at our discretion.
  • Transparency: We will provide regular updates on the status of the vulnerability you reported.

Hall of Fame

Researchers who responsibly disclose vulnerabilities and help improve our security will, with their consent, be listed on our Security Hall of Fame page as a token of appreciation.

Questions

If you have any questions about this policy, contact us at security@coloop.ai.

Thank you for helping us maintain the security and integrity of CoLoop's systems and services.