Skip to content
Last updated: 15 Jul 2026

Vulnerability Disclosure Policy

We value the work of security researchers. This policy explains how to report a vulnerability to Hellomatik, what you can expect from us, and the rules that keep good-faith research safe.

1) How to report

If you believe you have found a security vulnerability in any Hellomatik service, please email administracion@hellomatik.com with a clear description. Machine-readable details live in our security.txt (RFC 9116).

  • Include the affected URL or endpoint, the steps to reproduce, and the impact you believe the issue has.
  • Attach proof-of-concept material where it helps (requests, screenshots, minimal scripts).
  • Write in English or Spanish — both reach the same team.

2) What you can expect from us

  • We acknowledge reports within 3 business days.
  • We keep you informed of our progress and tell you when the issue is fixed.
  • We will not take legal action against research done in good faith under this policy.
  • With your permission, we credit your finding once it is resolved.

3) Rules of engagement

Good-faith research means:

  • Do not access, modify or delete data that is not yours. If a proof of concept requires demonstrating access, stop at the minimum evidence needed.
  • Do not degrade the service: no denial-of-service testing, no spam, no social engineering of Hellomatik staff or customers.
  • Do not disclose the issue publicly before we have confirmed a fix and agreed on timing with you.
  • Only test against systems operated by Hellomatik; our customers' own websites and systems are out of scope.

4) Scope

In scope: hellomatik.com and Hellomatik-operated application services. Out of scope: findings that require physical access, results of automated scanners without a demonstrated impact, missing security headers on pages without sensitive actions, and vulnerabilities in third-party services we use — report those to the third party, and let us know so we can follow up.