Responsible Disclosure Policy
Last updated: July 4, 2026
CORPYO values the work of independent security researchers. If you believe you have found a security vulnerability in our systems, we want to hear from you, and we are committed to working with you in good faith to understand and resolve the issue.
Scope
This policy applies to:
- The CORPYO website and marketing pages (corpyo.com and subdomains)
- The CORPYO customer dashboard and authentication systems
- The CORPYO public API
The following are out of scope:
- Denial-of-service (DoS/DDoS) testing against production systems
- Social engineering, phishing, or physical attacks against CORPYO staff
- Automated scanning that generates high-volume traffic without prior
- Testing against third-party services we integrate with (report those
- Findings that require physical access to a device or require an
or facilities
coordination with security@corpyo.com
directly to the third party)
already-compromised account
Reporting Process
Please email security@corpyo.com with:
1. A clear description of the vulnerability and its potential impact 2. Step-by-step instructions to reproduce it 3. Any proof-of-concept code, screenshots, or request/response samples (please avoid accessing, modifying, or exfiltrating data beyond what is strictly necessary to demonstrate the issue) 4. Your contact details, so we can follow up with questions or credit your finding
If you need to share sensitive details securely, request our current PGP key via the same address before sending report content. Our published `security.txt` file (at `/.well-known/security.txt`) also lists our current reporting contact and encryption key.
Response Timeline
We aim to:
- Acknowledge new reports within 3 business days
- Provide an initial assessment (validity, severity, scope) within
- Keep you updated on remediation progress at reasonable intervals
10 business days
until the issue is resolved
Response times may vary with report volume and complexity, but we will communicate proactively rather than leave a report unanswered.
Safe Harbor
CORPYO will not pursue legal action against researchers who:
- Make a good-faith effort to comply with this policy
- Avoid privacy violations, data destruction, and service disruption
- Only interact with accounts they own or have explicit permission to
- Give us a reasonable opportunity to investigate and remediate a finding
test
before any public disclosure
We consider security research conducted consistently with this policy to be authorized, and we will not initiate legal action or report you to law enforcement for that research. If a third party initiates legal action against you for activity conducted in compliance with this policy, we will make it known that your actions were authorized.
Coordinated Disclosure
We ask that you give us a reasonable window to investigate and remediate before sharing details of a vulnerability publicly. We are happy to discuss disclosure timelines with researchers on a case-by-case basis and will credit researchers (with permission) once a fix has shipped.
Security Contact
Email: security@corpyo.com Vulnerability disclosure report: security@corpyo.com RFC 9116 file: `/.well-known/security.txt`