Vulnerability Disclosure Policy
Last updated: March 27, 2026
Effective since March 27, 2026
1. Introduction
cepaos LLC operates a SaaS winery management platform. We encourage responsible vulnerability reporting.
2. In Scope
- cepaos.com — public website
- app.cepaos.com — authenticated dashboard
- Public API
- Public forms
- Authentication flows
3. Out of Scope
- Third-party infrastructure (Supabase, Cloudflare, dLocalGo, etc.)
- Social engineering
- DoS/DDoS attacks
- Spam, phishing
- Automated scanner reports without manual analysis
4. How to Report
Send to security@cepaos.com with: description, reproduction steps, potential impact, evidence, and environment.
5. Safe Harbor
cepaos will not take legal action against good-faith researchers acting within the defined scope.
6. Response Timelines
| Stage | Timeline |
|---|---|
| Acknowledgement | 48 business hours |
| Initial assessment | 5 business days |
| Progress updates | Every 15 days |
7. Rewards Programme
cepaos does not offer monetary rewards (bug bounty) at this stage. We maintain a public Hall of Fame.
8. Public Disclosure Restriction
90 calendar days or confirmation of deployed fix, whichever comes first.
9. Contact
- security@cepaos.com
- cepaos LLC — Wyoming, United States
This document does not constitute legal advice.