Vulnerability Disclosure Policy
We value the work of security researchers. This policy explains how to report a vulnerability to Hellomatik, what you can expect from us, and the rules that keep good-faith research safe.
1) How to report
If you believe you have found a security vulnerability in any Hellomatik service, please email administracion@hellomatik.com with a clear description. Machine-readable details live in our security.txt (RFC 9116).
- Include the affected URL or endpoint, the steps to reproduce, and the impact you believe the issue has.
- Attach proof-of-concept material where it helps (requests, screenshots, minimal scripts).
- Write in English or Spanish — both reach the same team.
2) What you can expect from us
- We acknowledge reports within 3 business days.
- We keep you informed of our progress and tell you when the issue is fixed.
- We will not take legal action against research done in good faith under this policy.
- With your permission, we credit your finding once it is resolved.
3) Rules of engagement
Good-faith research means:
- Do not access, modify or delete data that is not yours. If a proof of concept requires demonstrating access, stop at the minimum evidence needed.
- Do not degrade the service: no denial-of-service testing, no spam, no social engineering of Hellomatik staff or customers.
- Do not disclose the issue publicly before we have confirmed a fix and agreed on timing with you.
- Only test against systems operated by Hellomatik; our customers' own websites and systems are out of scope.
4) Scope
In scope: hellomatik.com and Hellomatik-operated application services. Out of scope: findings that require physical access, results of automated scanners without a demonstrated impact, missing security headers on pages without sensitive actions, and vulnerabilities in third-party services we use — report those to the third party, and let us know so we can follow up.