Security and Privacy
      Back to home
      1. Support
      2. Security and Privacy

      Responsible Vulnerability Disclosure Program

      We take our responsibility to protect and secure your information seriously and strive for transparency around our security practices.

      Responsible Vulnerability Disclosure Policy

      Introduction

      At HappySignals, the security of our systems and the data entrusted to us is paramount. We believe that a strong security posture is a collective effort, and we greatly value the contributions of independent security researchers and the broader security community. This Responsible Vulnerability Disclosure Policy outlines our guidelines for discovering and reporting security vulnerabilities in our products, services, and infrastructure.
      We are committed to working with the security community to investigate and resolve legitimate security issues swiftly and responsibly.

      1. Scope

      This policy applies to publicly accessible parts of HappySignals Platform and cloud infrastructure resources exposed to the internet.

      Out of Scope:
      The following are explicitly out of scope for this policy and should not be tested:
      • Physical attacks against HappySignals employees, offices, or data centers.
      • Social engineering (e.g., phishing, vishing, smishing) of HappySignals employees or contractors.
      • Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks.
      • Attacks on third-party services or products not directly controlled by HappySignals (unless the vulnerability directly impacts our services via a misconfiguration or specific integration).
      • Attacks against services or systems clearly marked as “internal,” “stage,” “dev,” or “test.”
      • Vulnerabilities in outdated browser versions or plugins.
      • Missing security best practices that do not directly lead to an exploitable vulnerability (e.g., missing HTTP security headers that do not allow for content injection).
      • Descriptive error messages or banner disclosures that do not provide direct access to sensitive data or a direct attack vector.
      • Self-XSS (Cross-Site Scripting that requires the user to paste the payload into their own browser console).
      • Issues related to user enumeration through brute-forcing login pages or “Forgot Password” functionality that are sufficiently rate-limited.
      • Publicly accessible information that does not pose a security risk.
      • Vulnerabilities that require complex or unlikely user interaction to exploit.

      2. How to Report a Vulnerability 

      If you believe you have discovered a security vulnerability in one of our systems, please report it to us as quickly as possible via the following dedicated channel:
      Please include necessary information in your report to help us understand and reproduce the issue, example:
      • Clear description of the vulnerability: What is the vulnerability, and what is its potential impact?
      • Steps to reproduce: Detailed, step-by-step instructions on how to replicate the vulnerability.
      • Proof-of-concept (PoC): If applicable, a working example or code snippet demonstrating the vulnerability.
      • Affected assets/URLs: Specific URLs, endpoints, or system components that are vulnerable.
      • Screenshots or video: Visual evidence of the vulnerability (if applicable).

      3. Our Commitment

      Upon receiving your vulnerability report, we commit to the following:
      • Acknowledgement: We will acknowledge receipt of your report within 4 business days.
      • Investigation: Our security team will investigate your report promptly and thoroughly.
      • Communication: We will keep you updated on the status of your report, including any questions we may have or requests for further information.
      • Remediation: We will work diligently to validate and remediate confirmed vulnerabilities. The time to resolve will depend on the complexity and severity of the issue.
      • Transparency (with discretion): We will collaborate with you on public disclosure, if desired, after the vulnerability has been fixed. We prefer to remediate the issue before any public disclosure.
      • No Legal Action: We will not pursue legal action against individuals who discover and report vulnerabilities in good faith, in compliance with this policy, and without causing disruption or harm.

      4. Guidelines for Responsible Disclosure

      To ensure a productive and secure disclosure process, we ask you to:
      • Act in Good Faith: Conduct your research ethically and responsibly.
      • Do Not Disclose Publicly Without Permission: Do not disclose any information about the vulnerability to the public or to any third party until we have acknowledged the report, investigated it, fixed the issue, and mutually agreed upon a disclosure plan (if any).
      • Do Not Interrupt Our Services: Avoid any testing or activities that could disrupt our services, compromise data integrity, or impact user experience.
      • Do Not Access or Modify Data: Do not access, modify, delete, or store any user data without explicit permission. Only access enough data to prove the vulnerability.
      • Avoid Privacy Violations: Do not attempt to access or exploit personal user accounts or data.
      • Comply with Laws: Adhere to all applicable laws and regulations.

      5. Legal Disclaimer 

      This policy is designed to encourage responsible vulnerability reporting. If you do not follow the guidelines set out in this policy, HappySignals reserves the right to take appropriate legal action. We do not authorize any activities that are not in accordance with this policy.
      Thank you for helping us keep HappySignals secure!
       

      Updated August 8th, 2025.