Your cart is currently empty!
At Sendrella, we are deeply committed to maintaining the security and privacy of our platform and users. We understand the importance of cybersecurity and value the efforts of security researchers who help keep our systems secure.
We have established this Responsible Disclosure Program to provide guidelines for researchers to report security vulnerabilities responsibly.
Program Overview
We invite ethical hackers, penetration testers, and security researchers to test authorized systems for potential vulnerabilities. However, testing must be conducted within defined boundaries to avoid legal risks.
This program allows testing only on approved environments and outlines the rewards, legal protections, and expectations for responsible disclosure.
Scope of Testing
The following table outlines which systems are eligible for testing under this program:
| Domain | Status | Description |
|---|---|---|
https://staging.sendrella.com |
In-Scope | Dedicated staging environment for testing. Resettable anytime. |
https://swagger.sendrella.com |
In-Scope | API documentation portal. Switch all API domains to staging. |
https://sendrella.com |
Out-of-Scope | Production environment. Strictly prohibited for testing. |
| Any other subdomain | Out-of-Scope | Not authorized for testing unless explicitly stated. |
Important Note for API Testing:
The APIs listed onswagger.sendrella.commay reference production endpoints (sendrella.com). Before executing any API requests, replace the base domain withstaging.sendrella.comto stay within scope.
Out-of-Scope Activities
To ensure the safety and availability of our services, the following testing methods and actions are prohibited:
| Not Allowed | Description |
|---|---|
| Denial of Service (DoS) | Any action that disrupts or degrades system performance. |
| Spam or Brute Force Attacks | Automated requests, login attempts, or flooding services. |
| Accessing or Modifying User Data | Extracting, viewing, or altering data of real users. |
| Social Engineering & Phishing | Attempting to deceive Sendrella employees or users. |
| Physical Security Testing | Attempting to access physical infrastructure or offices. |
| Public Disclosure Before Remediation | Sharing vulnerabilities publicly without written permission. |
Any breach of these restrictions may result in legal consequences and removal from this program.
Accepted Vulnerabilities
We are interested in vulnerabilities that impact confidentiality, integrity, or availability of our services. Submissions related to the following categories are encouraged:
| Category | Examples |
|---|---|
| Authentication & Authorization Flaws | Broken access control, privilege escalation, IDOR. |
| Injection Attacks | SQL Injection (SQLi), Command Injection, NoSQL Injection. |
| Cross-Site Scripting (XSS) | Stored XSS, Reflected XSS, DOM-based XSS. |
| Cross-Site Request Forgery (CSRF) | CSRF on sensitive actions. |
| Server-Side Request Forgery (SSRF) | Unauthorized server-side requests triggered by user input. |
| Security Misconfiguration | Exposed admin panels, default credentials, verbose error messages. |
| Cryptographic Issues | Weak encryption, improper key management, broken SSL/TLS configs. |
| API Security Issues | Unauthenticated access, excessive data exposure, rate-limit bypass. |
| Vulnerable Components | Use of outdated software or known vulnerable libraries. |
| Other Logical or Business Flaws | Issues affecting platform integrity or process bypasses. |
We prioritize submissions that follow OWASP Top 10 security risks.
Rewards & Recognition
We appreciate your contribution and offer rewards based on the impact of your findings.
| Severity (CVSS v3.1 Score) | Reward |
|---|---|
| High (Above 7.0) | 50,000 Sendrella Credits, Hall of Fame listing, Certificate of Appreciation. |
| Medium (4.0 – 7.0) | Hall of Fame mention, exclusive Sendrella swag (subject to availability). |
| Low (Below 4.0) | Recognition (at our discretion). |
All reports are reviewed and validated internally.
Rewards are subject to severity assessment and availability.
Legal Safe Harbor
We respect the work of ethical hackers and security researchers. If you:
- Follow this program’s guidelines.
- Act in good faith.
- Test only within the defined scope.
You are exempt from legal action by Sendrella.
However, actions such as testing outside the scope, malicious behavior, or unauthorized disclosure will void this protection and may lead to legal consequences.
How to Submit a Report
Email your findings to: [email protected]
Your report should include:
- A clear description of the issue.
- Step-by-step instructions to reproduce the vulnerability.
- Screenshots, proof-of-concept code, or logs (if applicable).
- Suggested CVSS score (optional; we will validate internally).
Response Process
| Action | Timeline |
|---|---|
| Acknowledgement | Within 5 business days. |
| Assessment & Review | Depending on complexity, we’ll keep you updated. |
| Remediation | Timeline will vary based on severity and complexity. |
| Reward Notification | After resolution, rewards will be processed (if applicable). |
Hall of fame
| No. | Name | Profile | No. of accepted vulnerabilities |
Our Commitment to Security
Thank you for helping us improve the security of Sendrella.
Your contribution makes the platform safer for everyone!