Purpose and Scope
The purpose of this document is to establish a clear, structured, and secure framework for the reporting and remediation of security vulnerabilities. This policy applies to all digital assets, including the ES Foundation platform, ES Portal, and managed AWS infrastructure. It is designed to minimize risk while maintaining transparency with security researchers, clients, and partners.
Internal Monitoring & Tools
ElasticScale maintains a proactive security posture through continuous internal oversight. We utilize Aikido for automated software bill of materials (SBOM) analysis, static application security testing (SAST), and dependency tracking. Our AWS environment is monitored for unauthorized manual changes to Security Groups and IAM roles. We specifically prioritize the privacy of n8n instances and regular checks for CVEs to prevent exploitation of our automation workflows.
Guidelines for Responsible Disclosure
We encourage the reporting of security flaws and commit to a non-adversarial relationship with researchers who adhere to the following guidelines:
- Staging Only: All vulnerability research and testing must be performed within the designated Staging environment at portal.elasticscale-stg.io. Probing, scanning, or testing against production environments or live client AWS accounts is strictly prohibited.
- No Data Exfiltration: Researchers must not attempt to access, modify, or delete data belonging to ElasticScale or its B2B SaaS clients. If sensitive data is inadvertently accessed, it must be reported immediately and deleted.
- No Disruption: Do not perform Denial of Service (DoS) attacks, brute-force testing, or any activity that impacts the availability of our services.
No Bug Bounty Program
ElasticScale does not currently operate a paid bug bounty program. We do not offer financial compensation or "bounties" for the reporting of security vulnerabilities.
Reporting Process
Security findings should be documented and submitted to [email protected]. Reports should include:
- A detailed description of the vulnerability and its potential impact.
- Step-by-step instructions or a proof-of-concept (PoC) to reproduce the issue.
- Information regarding the tools used and the specific environment where the flaw was discovered.
Remediation and Response
Upon receipt of a valid report, the Incident Response Team will acknowledge the submission within 48 hours. We prioritize handling based on the functional and information impact of the flaw. We request that researchers allow us a reasonable timeframe to remediate the issue before any public disclosure. ElasticScale will provide periodic updates during the remediation phase and will document lessons learned to improve our secure coding standards and operational procedures.
Safe Harbor
ElasticScale will not pursue legal action against individuals who conduct security research and disclose vulnerabilities in good faith accordance with this policy. We value the contribution of the security community in helping us maintain a perfect internal security standard.