Simply AskingDocs

Security Researchers

Responsible disclosure program for security researchers. Last updated: March 9, 2026 | Version 1.1

Simply Asking takes security seriously. We value the work of security researchers who help us identify vulnerabilities and improve our platform. This policy outlines how to responsibly disclose security issues and what you can expect from us.

Safe Harbor

We will not pursue legal action against researchers who follow this policy in good faith.

1. Scope

In Scope

  • *.simplyasking.io - All subdomains
  • Authentication and authorization systems
  • Data storage and encryption
  • API endpoints
  • AI/ML model security (prompt injection, data leakage)

Out of Scope

  • Third-party services (report directly to those providers)
  • Social engineering attacks against employees
  • Physical security
  • Denial of service (DoS/DDoS) attacks
  • Spam or phishing
  • Issues requiring outdated browsers or plugins

2. What We're Looking For

We're interested in vulnerabilities that could compromise user data or system integrity:

  • Authentication or authorization bypasses
  • Cross-site scripting (XSS)
  • SQL injection or other injection attacks
  • Server-side request forgery (SSRF)
  • Insecure direct object references (IDOR)
  • Sensitive data exposure
  • AI prompt injection leading to data leakage
  • Security misconfigurations with real impact

3. Generally Not Applicable

The following typically don't qualify as security vulnerabilities:

  • Missing security headers without demonstrated exploit
  • Self-XSS (requires victim to paste malicious code)
  • CSRF on non-sensitive actions (login/logout)
  • Email enumeration
  • Password policy suggestions
  • Theoretical issues without proof of concept
  • Issues already known or previously reported
  • Vulnerabilities in dependencies without demonstrated impact

4. How to Report

Step 1: Document

Prepare a clear report including: vulnerability type, affected URL/endpoint, step-by-step reproduction instructions, and proof of concept if possible.

Step 2: Submit

Email your report to security@simplyasking.io

Step 3: Wait for Response

We'll acknowledge receipt within 3 business days and provide an initial assessment within 10 business days.

Step 4: Coordinated Disclosure

Please allow us 90 days to address the issue before any public disclosure. We'll work with you on timing and credit.

5. Rules of Engagement

To ensure safe harbor protection:

  • Do not access, modify, or delete data belonging to other users
  • Do not degrade service availability
  • Do not use social engineering against employees
  • Do not publicly disclose before coordinating with us
  • Do use test accounts you control
  • Do stop testing once you've confirmed a vulnerability
  • Do report findings promptly

6. Our Commitment

If you follow this policy in good faith, Simply Asking commits to:

  • Not pursue legal action against you
  • Work with you to understand and resolve the issue
  • Keep you informed of our progress
  • Credit you publicly (if desired) when the issue is resolved

7. Recognition

We believe in recognizing those who help make our platform more secure:

  • Public acknowledgment in our Security Hall of Fame (with your permission)
  • LinkedIn recommendation from our security team upon request
  • Reference letter for significant contributions

Security Hall of Fame

Be the first to be recognized!

Report a valid vulnerability to join our Hall of Fame.

Related Documents

Security PolicyAcceptable Use PolicyPrivacy Policy

Found a Vulnerability?

Report it to our security team. We aim to acknowledge reports within 3 business days.

Report a VulnerabilityGeneral Inquiry
Was this helpful?