Security Vulnerability Disclosure Policy

Last Updated: March 2026

CyberPolicyPros LLC is a cybersecurity company. We take the security of our website and the data of our customers seriously. This policy describes how to report security vulnerabilities in our systems and how we will respond.

Scope

This policy applies to security vulnerabilities discovered in:

  • The CyberPolicyPros website at cyberpolicypros.net and all subdomains
  • Our checkout and payment processing flow
  • Our customer account and order management system
  • Any API endpoints or web services operated by CyberPolicyPros

This policy does not apply to third-party services we use (such as GoDaddy, Stripe, or Jotform). Vulnerabilities in those services should be reported directly to them.

How to Report a Vulnerability

If you believe you have discovered a security vulnerability in our systems, please report it responsibly by contacting us at:

Email: legal@cyberpolicypros.net
Subject line: Security Vulnerability Report
PGP encryption: Not currently available. Do not include live exploit code or sensitive customer data in your report.

Please include in your report:

  • A description of the vulnerability and the affected system or URL
  • The type of vulnerability (e.g., XSS, SQL injection, CSRF, authentication bypass)
  • Steps to reproduce the issue, including any tools or scripts used
  • The potential impact in your assessment
  • Your contact information (name and email) for follow-up

Our Commitments to Researchers

  • Acknowledgment within 48 hours. We will acknowledge receipt of your report within two business days.
  • Status updates. We will provide updates on our investigation and remediation progress within 10 business days of the initial acknowledgment.
  • No legal action. CyberPolicyPros will not initiate legal action against researchers who discover and report vulnerabilities in good faith, comply with this policy, and do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.
  • Credit. With your permission, we will publicly acknowledge your contribution after the vulnerability is remediated.

Responsible Disclosure Guidelines

We ask that you:

  • Do not access, modify, or delete customer data
  • Do not degrade the performance or availability of our services
  • Do not conduct social engineering, phishing, or physical security attacks against our staff or facilities
  • Do not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate it (we request a minimum of 90 days from acknowledgment before public disclosure)
  • Make a good faith effort to avoid privacy violations and service disruption during your research

Remediation Timeline

We are committed to remediating confirmed vulnerabilities according to the following severity-based schedule:

  • Critical (CVSS 9.0-10.0): Within 24 hours of confirmation
  • High (CVSS 7.0-8.9): Within 7 days of confirmation
  • Medium (CVSS 4.0-6.9): Within 30 days of confirmation
  • Low (CVSS 0.1-3.9): Within 90 days of confirmation

Contact

CyberPolicyPros LLC
15503 Brinton Way, Brandywine, MD 20613
Security reports: legal@cyberpolicypros.net
Website: cyberpolicypros.net

Scroll to Top