Responsible Disclosure Policy

CostPerform takes the security of our application and customer data seriously. We welcome responsible security research and appreciate the efforts of individuals who report vulnerabilities in a responsible manner.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in the CostPerform application, please report it to:

Email: security@costperform.com

Include the following details where possible:

  • Affected version of CostPerform
  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact

  • Any supporting screenshots or proof-of-concept code

Please do not publicly disclose the issue(s) as we need to investigate and address them appropriately.

Our Commitment

If you report a vulnerability in good faith and in accordance with this policy, CostPerform will:

  • Acknowledge receipt of your report within a reasonable timeframe
  • Investigate and validate the issue
  • Work to remediate confirmed vulnerabilities promptly

  • Keep you informed of progress where appropriate

We will not pursue legal action against researchers who:

  • Act in good faith
  • Do not exploit the vulnerability beyond what is necessary to demonstrate its existence
  • Do not access, modify, or exfiltrate customer data
  • Do not disrupt services or degrade user experience
  • Do not target any CostPerform environments either on-premise or SaaS which do not belong to the reporting party.

Scope

This policy applies to the CostPerform application for on-premise and SaaS for paying customers on their own environments only.

Out of Scope

The following are not considered valid security issues under this policy:

  • Denial-of-service attacks or testing
  • Social engineering attacks
  • Issues requiring physical access
  • Vulnerabilities in third-party services not under CostPerform control
  • Any testing, probing, or attacks on on-premise or SaaS environments not operated by the disclosing party.