Skip to content

Vulnerability Disclosure Policy

Effective: 2026-04-30

APTcache is committed to operating to enterprise security standards. Account access, user data, and the integrity of our services are security-critical, and we want to know when something is wrong. This policy describes how to report vulnerabilities to us, what is in scope, what we ask researchers not to do, and the safe-harbour protections we extend to good-faith research.

1. How to report

Send vulnerability reports to security@aptcache.com. The same address is published in our security.txt.

A useful report typically includes:

  • A description of the issue and its security impact
  • Step-by-step reproduction (URLs, payloads, accounts used, timing)
  • The hosts or endpoints affected
  • Any attached proof-of-concept material — please redact personal data of other users if you happened to obtain any
  • Your preferred name or handle for credit in the acknowledgements (if you want credit)

You may report anonymously. We do not require you to provide a real name, sign an NDA, accept terms before reporting, or wait for our acknowledgement before disclosing publicly — though we ask that you give us a reasonable opportunity to fix the issue first (see §5).

2. Scope

Findings on the following hosts and the systems behind them are in scope:

  • aptcache.com (marketing site)
  • www.aptcache.com
  • auth.aptcache.com (OAuth 2.1 / OpenID Connect authorization server)
  • app.aptcache.com (authenticated single-page application)
  • mcp.aptcache.com (resource server)
  • Any subdomain of aptcache.com that we operate directly

Vulnerability classes we are particularly interested in:

  • Authentication bypass, account takeover, or session fixation — including OAuth / OpenID Connect protocol flaws (token leakage, code-injection, mix-up, replay, PKCE downgrade, audience confusion, refresh-reuse acceptance)
  • Multi-factor authentication or passkey (WebAuthn) bypass, including credential binding and reauthentication weaknesses
  • Server-side request forgery, server-side template injection, deserialisation flaws
  • SQL or NoSQL injection, command injection, path traversal
  • Cross-site scripting in any browser-facing surface, especially anything that touches authentication state
  • CSRF, clickjacking, or framing vulnerabilities on authenticated routes — note our structural CSRF guard, but report any gap
  • Information disclosure of credentials, tokens, or other security-relevant data
  • Logic flaws that allow privilege escalation or unauthorised access
  • Cryptographic weaknesses (signing, hashing, randomness, key management)

3. Out of scope

The following are excluded from scope and from safe-harbour protection. Reports limited to these will typically be closed without action:

  • Denial of service — please do not perform any test that consumes resources at scale (load testing, traffic flooding, account-creation flooding, resource exhaustion)
  • Social engineering of our staff, users, partners, or contractors
  • Physical attacks against our infrastructure or staff
  • Findings against third-party services we do not operate (Cloudflare, Resend, federated identity providers, etc.) — please report those to the respective vendor
  • Best-practice or hardening recommendations without a demonstrated security impact (e.g. “you should add header X,” “TLS configuration could be stricter,” “no rate limit on this endpoint” absent an exploitable consequence)
  • Reports from automated scanners with no manual analysis or proof of impact
  • Issues that require physical access to a victim’s unlocked device or already- compromised browser
  • Self-XSS, tab-nabbing, or attacks that require the victim to perform implausible actions
  • Outdated software versions without a demonstrated working exploit against our deployment
  • Missing email security records (SPF / DKIM / DMARC) on subdomains we do not send mail from
  • UI/UX issues, broken links, content typos — please email support@aptcache.com instead

4. Rules of engagement

While testing, you agree to:

  • Test only against accounts you own or accounts the owner has explicitly given you permission to use
  • Use accounts created specifically for testing (free to register), not accounts of third-party users
  • Stop testing immediately if you encounter sensitive data of another user, and do not retain, copy, or transmit it beyond what is necessary to demonstrate the vulnerability
  • Do not modify, delete, or exfiltrate data beyond the minimum needed to prove the finding
  • Do not perform attacks that degrade availability for other users (volumetric, brute- force at scale, resource exhaustion)
  • Do not pivot from one finding to access systems or data unrelated to demonstrating the original issue
  • Comply with all applicable laws — this policy does not authorise activity prohibited by law in your jurisdiction

5. Safe harbour

We will not take legal action against you, or ask law enforcement to investigate you, for security research conducted in good faith and in accordance with this policy. Specifically:

  • We consider research conducted under this policy to be authorised access for the purposes of the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), and equivalent computer-misuse laws in other jurisdictions
  • We waive any restrictions in our Terms of Service that would interfere with research in scope of this policy, for the duration of that research
  • We will not pursue claims for circumvention of technical measures that are necessary to demonstrate the vulnerability, provided you stay within the rules in §4
  • If a third party initiates legal action against you for activity in good-faith accordance with this policy, we will take reasonable steps to make our authorisation known

This safe harbour applies only to the extent you act in good faith and within the scope, rules, and exclusions of this policy. Activity that violates §3 or §4 is not protected.

We ask that you give us a reasonable opportunity to remediate before disclosing publicly. By default, we ask for a 90-day disclosure window from the date you reported, extendable on agreement, with the option to coordinate a joint advisory. We will not try to silence you indefinitely.

6. Our response commitments

To every in-scope, good-faith report we receive, we commit to:

  • Acknowledge receipt within 72 hours
  • Triage and provide a status update within 14 days, including whether we accept the report, an initial severity assessment, and an expected remediation timeline
  • Keep you informed at meaningful milestones (fix in development, fix deployed, public advisory if any)
  • Credit you, by the name or handle you choose, on our Acknowledgments page and in any public advisory or coordinated disclosure post — unless you ask not to be credited
  • Not threaten or pursue legal action against you for research conducted within the terms of this policy

7. Recognition and reward

APTcache does not currently operate a paid bug bounty programme. We do publicly acknowledge researchers who help us improve the security of the Service, and we may offer small tokens of appreciation (swag, account credit) at our discretion. If we introduce a paid programme, we will document it here and give existing researchers an opportunity to resubmit eligible historic reports.

8. Contact

security@aptcache.com
/.well-known/security.txt publishes the contact, expiry, and canonical URLs in machine-readable form (RFC 9116).