Responsible Disclosure

This page covers two situations: when we report a security issue to a third-party vendor, and when someone reports a security issue in one of our own products to us.

When we report to a vendor

When our research line identifies a security issue in another company's application, we follow these steps:

Initial contact. A short, high-level email is sent to the developer contact address listed on the Google Play Store. We do not include technical detail in the first message, and the initial email will never contain exploit code, sensitive data, or step-by-step instructions that could enable harm.
Acknowledgement. We wait for the vendor to confirm a point of contact for security communications. We do not publish, share, or sell findings during this period.
Technical disclosure. Once a contact is confirmed, we share the affected component, the root cause, and a recommended fix.
Remediation window. We give vendors reasonable time to remediate. We do not impose hard deadlines, and we do not threaten public disclosure to apply pressure.
Follow-up. A maximum of two follow-ups are sent at least seven days apart. After 90 days with no response, the case is recorded as no response; we do not publish details unilaterally.

We do not access real user accounts and limit any runtime testing to test accounts we create ourselves. If user data is incidentally observed while identifying that an access control is missing, we do not retain or analyse it; such data is deleted once the finding has been documented.

If you received a disclosure email from us

Please reply to the address from which we contacted you (typically research@sumosols.com) with the security contact for your team. We will share technical detail securely once a contact is confirmed. There is no obligation to engage us further; the disclosure is provided in good faith with no conditions attached.

Reporting an issue in our own products

If you believe you have found a security issue in a Sumo Solutions website or product, we appreciate the report. Please email research@sumosols.com with:

A short description of the issue.
Steps to reproduce, where applicable.
Any URLs, request payloads, or screenshots that help us understand the impact.

Safe harbour. We will not pursue legal action against, or report to law enforcement, anyone who reports a security issue to us in good faith — provided that the reporter (a) does not access more data than necessary to demonstrate the issue, (b) does not modify or destroy data, (c) gives us a reasonable opportunity to remediate before any public disclosure, and (d) does not violate any applicable law in the course of testing.

Out of scope

Findings that depend on social engineering, physical access, or compromised user devices.
Reports based on outdated dependency versions without a working proof of concept demonstrating exploitability.
Best-practice recommendations not tied to a specific exploitable issue (e.g. "you should add HSTS").
Denial-of-service findings without a meaningful impact threshold.

Bounty & affiliations

We do not currently operate a paid bug bounty programme. We are happy to publicly acknowledge researchers who report valid issues to us, where they wish to be acknowledged.

Our research work is independent and is not conducted on behalf of, or in affiliation with, any bug bounty platform (HackerOne, Bugcrowd, Intigriti, or similar). We do not act as intermediaries between researchers and platforms.

Machine-readable contact

Our security contact information is also published in /.well-known/security.txt per RFC 9116.