Skip to main content

Responsible Disclosure Policy

Guidelines for Reporting Security Vulnerabilities

Michael Ugrin avatar
Written by Michael Ugrin
Updated today

Revised: December 2025

Responsible Disclosure Policy

At Community Boss we take the security and privacy of our customers seriously. We welcome reports from security researchers and the public, and we appreciate your efforts to help keep our systems safe.

If you’ve discovered a potential vulnerability, we want to hear from you.

How to Report a Vulnerability

Please send reports to:

[email protected]

Include as much detail as you can:

  • A clear description of the issue

  • Steps to reproduce

  • Potential impact

  • Any relevant URLs, screenshots, or proof-of-concepts

Please do not publicly disclose the issue until we’ve resolved it or mutually agree on a disclosure timeline.

What You Can Expect From Us

  • We will acknowledge receipt of your report within 3 business days.

  • We will provide periodic updates as we investigate the issue.

  • We will notify you when the issue is resolved.

  • Compensation may be offered based on the severity, impact, and novelty of the finding. (Not all reports qualify for rewards).

  • We aim to resolve issues promptly but do not guarantee specific remediation timelines.

Scope

Unless otherwise stated, this policy applies to:

  • Systems and services under the communityboss.com domain

  • Applications and infrastructure operated directly by Community Boss

Out of scope:

  • Third-party services (e.g., Intercom, Stripe, Google APIs), unless the vulnerability is caused by our implementation

  • Local device issues, browser extensions, or network-level vulnerabilities not specific to our services

In Scope (Examples)

  • Authentication or authorization flaws

  • Access to data belonging to other users

  • Broken access control

  • SQL injection, command injection, or remote code execution

  • Vulnerabilities that materially impact confidentiality, integrity, or availability

Out of Scope

The following items are not considered vulnerabilities under this program:

  • Automated scanner findings without a clear, reproducible impact

  • SPF/DKIM/DMARC configuration suggestions

  • Rate‑limiting recommendations

  • Missing HTTP security headers with no exploitable risk

  • Clickjacking on pages with no sensitive functionality

  • Denial‑of‑service attacks or resource‑exhaustion attempts

  • Social engineering or phishing of employees or contractors

Allowed Testing Methods

We encourage good-faith research while avoiding harm:

Permitted:

  • Testing accounts you own or control

  • Non-destructive testing

  • Manual testing or limited automated tools that do not degrade service

Safe Harbor

As long as you act in good faith and follow this policy:

  • Your research will be considered authorized, including under the CFAA and similar anti‑hacking laws

  • We will not pursue legal action or involve law enforcement

  • We will consider any DMCA circumvention concerns waived

  • We will work with you to understand and resolve the issue

Please avoid accessing or modifying data that is not your own. If you unintentionally access such data, stop immediately and report it.

Coordinated Disclosure

We ask for at least 90 days from our acknowledgement before any public disclosure, unless we mutually agree on a different timeline.

Thank You

We appreciate your efforts to help keep Community Boss secure.
If you have questions about this policy, contact us anytime at [email protected]

Related Articles
FAQs about Parking Boss
Privacy Policy
Standard Billing & Cancellation Terms
Terms & Conditions
How to Utilize Amenity Boss
Did this answer your question?