From Code to Culture: Complete Cyber Defense. Begin Your Security Journey

Responsible Disclosure Policy

Introduction

CAPS (Cypherdote Advanced Phishing Simulator) is an enterprise-grade phishing simulation and security awareness platform built by Cypherdote. We take the security of our platform, our customers, and their data seriously.

This Responsible Disclosure Policy outlines how security researchers can report vulnerabilities they discover in CAPS, and what to expect from us in return. We are committed to working collaboratively with the security community to keep our platform safe.

Effective Date: June 01, 2025  |  Last Updated: June 01, 2025

Scope

The following assets and domains are within scope for responsible disclosure:

Asset Type Status
capsplatform.com Web Application In Scope
*.capsplatform.com Subdomains In Scope
CAPS API Endpoints API In Scope
Third-party services External Out of Scope
cypherdote.com Corporate Website Out of Scope

Guidelines for Researchers

When conducting security research on CAPS, we ask that you:

  • Only test against accounts you own or have explicit written permission to test.
  • Do not access, modify, or delete data belonging to other users or customers.
  • Do not perform actions that could degrade, disrupt, or damage the CAPS platform or its infrastructure (e.g., denial-of-service attacks).
  • Do not conduct social engineering, phishing, or physical attacks against Cypherdote employees, customers, or partners.
  • Do not publicly disclose the vulnerability until we have confirmed it has been resolved and have given explicit written approval.
  • Provide sufficient detail in your report for us to reproduce and verify the vulnerability.
  • Act in good faith to avoid privacy violations, data destruction, and interruption of service.
  • Comply with all applicable laws and regulations throughout your research.

How to Report a Vulnerability

If you believe you have found a security vulnerability in the CAPS platform, please report it by following these steps:

1
Send an email

Submit your findings to our security team at the email address below. Use encryption (PGP) if possible for sensitive details.

2
Include key details

Describe the vulnerability, affected asset(s), steps to reproduce, potential impact, and any proof-of-concept (screenshots, videos, HTTP requests).

3
Provide your contact information

Include your name (or alias), email address, and any preferred communication channel so we can follow up promptly.

4
Wait for our response

Allow up to 3 business days for an initial acknowledgement. We will keep you informed of our progress throughout the remediation process.

[email protected]

Our Response Commitment

When you submit a vulnerability report, here is what you can expect from us:

  • Acknowledgement: We will confirm receipt of your report within 3 business days.
  • Triage & Assessment: Our security team will evaluate the severity and validity of the report within 7 business days.
  • Remediation: We will work to resolve confirmed vulnerabilities based on severity — critical and high issues are prioritized immediately.
  • Notification: You will be notified when the vulnerability has been patched, and we will coordinate on any public disclosure timelines.
  • Transparency: If we determine the report is not a valid vulnerability, we will provide a clear explanation of our reasoning.

Exclusions

The following are out of scope unless they demonstrate significant security impact:

  • Automated scanner output without manual verification or proven impact.
  • Missing headers, SSL/TLS best practices, or clickjacking without a working exploit.
  • CSRF on unauthenticated or non-sensitive forms.
  • DoS/DDoS, physical, or social engineering attacks.
  • Issues in third-party services not managed by Cypherdote.
  • SPF/DKIM/DMARC or content injection issues without a demonstrable attack.

Recognition & Rewards

We deeply appreciate the contributions of the security research community. While CAPS does not currently operate a paid bug bounty program, we offer the following to researchers who submit valid, in-scope vulnerability reports:

  • Public acknowledgement on our Security Hall of Fame (with your consent).
  • A letter of appreciation from the Cypherdote security team that can be used for professional purposes.
  • Direct communication with our engineering and security teams during the remediation process.
  • Swag and merchandise for high-severity, impactful findings (at our discretion).

Note: Rewards and recognition are at the sole discretion of Cypherdote and are determined based on the severity, impact, and quality of the submission.

Hall of Fame

No researchers listed yet. Be the first to responsibly disclose a vulnerability and get recognized here.

Contact

For any questions regarding this policy or to submit a vulnerability report, please reach out to us:

This policy is subject to periodic review and updates. Last updated: June 2025.