Vulnerability Disclosure Policy

This Vulnerability Disclosure Policy explains how to report suspected security vulnerabilities affecting C4CI Arch and related C4CI-operated product surfaces.

Reports should be sent to support@c4ci.io with "Security vulnerability report" in the subject line.

1. Safe Harbor

C4CI will not pursue legal action against researchers for good-faith security research that complies with this policy, avoids harm, and does not access, modify, destroy, exfiltrate, or disclose data without authorisation.

This safe harbor does not apply to extortion, social engineering, physical attacks, denial-of-service attacks, malware, persistence, credential theft, or research that violates law.

2. In-Scope Systems

In-scope systems include C4CI-operated production product surfaces, tenant portal routes, Admin Hub routes, public legal and trust pages, and product APIs that C4CI identifies as public or customer-accessible.

Customer-owned systems, third-party providers, demo data not operated by C4CI, and systems not controlled by C4CI are out of scope.

3. Rules of Engagement

Researchers must:

1. use only accounts and organisations they own or are authorised to test;
2. avoid accessing, changing, deleting, or exfiltrating data that is not theirs;
3. avoid privacy violations and disruption;
4. avoid automated high-volume scanning unless C4CI gives written approval;
5. stop testing and report promptly if customer data, secrets, or tenant isolation risk is discovered;
6. keep vulnerability details confidential until C4CI confirms remediation or authorises disclosure.

4. Prohibited Testing

The following activity is prohibited without prior written approval:

1. denial-of-service or load testing;
2. social engineering, phishing, or credential attacks;
3. physical attacks against offices, employees, or data centers;
4. malware, persistence, destructive payloads, or ransomware simulation;
5. spam, fraud, billing abuse, or payment abuse;
6. attacks against third-party providers;
7. accessing or extracting another tenant's data beyond the minimum evidence needed to prove the issue.

5. Report Contents

Useful reports include:

1. affected URL, API route, component, or feature;
2. vulnerability class and impact;
3. step-by-step reproduction instructions;
4. proof-of-concept requests or screenshots with sensitive data redacted;
5. account, organisation, and timestamp used for testing;
6. suggested remediation if known;
7. researcher contact details.

Do not include secrets, personal data, or customer data unless strictly necessary. Redact sensitive values wherever possible.

6. Triage and Response

C4CI will acknowledge reports when received and triage based on severity, exploitability, tenant isolation impact, affected data, and operational risk.

Target initial response is 5 business days for valid reports. Critical issues may receive faster response where practical.

C4CI may request additional information, apply mitigations, deploy fixes, notify affected customers, or reject reports that are not reproducible or out of scope.

7. Recognition

C4CI may recognise researchers who submit valid reports if the researcher wants recognition and disclosure is safe. C4CI does not currently operate a paid bug bounty unless a separate bounty program states otherwise.

8. Coordinated Disclosure

Researchers must not publicly disclose vulnerability details until C4CI confirms that the issue is resolved or gives written permission. C4CI will work in good faith toward timely remediation and coordinated disclosure.

9. Contact

Send vulnerability reports to support@c4ci.io with "Security vulnerability report" in the subject line.