GoggleCRM LTD welcomes responsible security research. This page explains how to report potential vulnerabilities affecting services under gogglecrm.com, what we expect from researchers, and what you can expect from us.
Scope
This policy covers production services and web applications hosted under the gogglecrm.com domain and any wildcards or subdomains within. Examples include (but are not limited to):
https://gogglecrm.com and any subdomains owned by GoggleCRM LTD
Customer-facing web applications and APIs on the gogglecrm.com domain
If you are unsure whether a target is in-scope, please include the URL in your report and we will confirm.
What we ask of researchers
Provide a clear, reproducible report: affected URL(s), steps to reproduce, expected vs actual behaviour, and a short impact assessment.
Include proof-of-concept (PoC) evidence where possible (screenshots, curl commands, sample payloads). Do not include exploit code that would damage systems or expose customer data.
Do not perform destructive testing: do not exfiltrate, manipulate, or destroy customer data, and do not disrupt production services.
Respect user privacy and confidentiality at all times.
Do not share findings publicly until remediation has been agreed or completed.
What not to do
Do not attempt social engineering or phishing against our staff or customers.
Do not scan or brute-force accounts in an attempt to gain access.
Do not exploit, sell, or publicly disclose vulnerabilities before we have had a reasonable opportunity to respond and remediate.
Allowed testing: We permit limited, non-destructive testing performed in good faith that follows the rules above. If your testing requires more intrusive access, contact us first at [email protected].
Summary: one-sentence description of the issue
Affected URL(s):
Steps to reproduce:
1) ...
2) ...
Proof of concept (PoC): (curl, screenshot, payload)
Impact assessment: (what can an attacker do?)
Your contact details: (email)
Our commitments
We will acknowledge receipt of a valid report within 72 hours (business days).
We will triage and provide an initial status update within 7 calendar days, or sooner for high-severity issues.
We will keep you informed of progress and, where appropriate, credit you publicly for responsible disclosure (unless you request anonymity).
We do not offer bug bounties at this time. Any financial reward or commercial arrangement will be pre-agreed in writing.
Legal safe harbour
Provided you comply with this policy and act in good faith to avoid privacy violations, data destruction or service disruption, GoggleCRM LTD will not pursue legal action against security researchers who follow this policy when reporting vulnerabilities to [email protected].
This safe harbour does not apply if testing exceeds the scope described here, if you access or persistently exfiltrate customer data, or if you engage in extortion or other malicious activity.
If someone demands payment or threatens disclosure
Do not pay. If you receive extortionate or threatening messages claiming to have hacked our systems or demanding payment, forward them immediately to [email protected]. We will treat such messages as malicious and can provide guidance on next steps.
Acknowledgements & credits
We appreciate the contributions of the security community. When remediation is complete we may, with your permission, credit researchers publicly for responsible reports.