Responsible Disclosure – Logistics
Last updated: 2025-11-04
1. Purpose
We value the security of our users and systems. This policy explains how security researchers can report vulnerabilities to Pichonia responsibly.
2. Scope
Report vulnerabilities affecting the logistics app, APIs, mobile builds, or infrastructure that Pichonia controls. Out-of-scope services (e.g., third-party SDKs) may be forwarded where applicable.
3. How to Report
- Email: security@pichonia.com (preferred) or info@pichonia.com
- Include details to reproduce: affected endpoints, request/response samples, screenshots, PoC code.
- Do not publicly disclose until we confirm remediation or provide written permission.
4. Research Guidelines
- No data destruction, exfiltration, or service disruption.
- Only access accounts/data you own or have explicit permission to use for testing.
- Rate-limit your testing to avoid degrading service for others.
5. Our Commitment
- Acknowledge reports within 72 hours.
- Provide a status update at meaningful milestones.
- Remediate with priority proportional to severity.
- Credit (with permission) in release notes or a Hall of Thanks.
6. Safe Harbor
If you follow this policy in good faith, we will not initiate legal action for your security research.
7. Out of Scope (Non-qualifying)
- Social engineering, physical attacks, or DDoS.
- SPF/DMARC/DKIM suggestions, clickjacking on non-sensitive pages.
- Missing best-practice headers without demonstrable impact.
- Vulnerabilities requiring rooted/jailbroken devices without practical risk.
security@pichonia.com · info@pichonia.com