The following assets are considered In Scope for security testing:

• *.decta.com (and all subdomains);
• DECTA API endpoints;
• DECTA Mobile Applications (iOS and Android).

Out of Scope:

• Third-party services or vendors hosted by non-DECTA providers.
• Customer websites or integrations not directly controlled by DECTA.

Please read the following guidelines before starting your research. To remain in compliance with this policy and qualify for Safe Harbor protection, you must adhere to these rules:

• Perform the minimum amount of testing necessary to prove the existence of a vulnerability. If you encounter user data, financial information, or proprietary secrets, you must cease testing immediately. Do not view, alter, save, store, transfer, or exfiltrate this data, and immediately purge any local information upon reporting the vulnerability.
• You must not exploit a vulnerability to pivot to other systems, establish command line access, or persist in the system; testing must focus solely on demonstrating the presence of a vulnerability.
• You must not use automated scanners or brute-force tools that generate significant traffic or degrade service responsiveness; if you use automated tools, please throttle your request rates to avoid disrupting our services.
• You must not place any malware, backdoors, or arbitrary code on our systems, even for verification purposes.
• You must not attempt to use social engineering, phishing, or vishing against our employees, contractors, or customers.
• You must not attempt to gain physical access to our offices, data centers, or user devices.
• You must not exfiltrate data; proof of concept exploits should only demonstrate the vulnerability, not the magnitude of data that can be stolen.
• DECTA aims to resolve issues within 90 days. If the issue is not resolved within this timeframe, we will discuss a coordinated disclosure timeline with you.

If you believe you have found a security issue, please submit your findings via email to vdp@decta.com.

To help us validate and resolve the issue efficiently, please ensure your report includes:

• The specific URL or component where the vulnerability exists.
• A brief description of the nature of the vulnerability.
• Clear steps to reproduce the issue (screenshots, video, or a proof-of-concept script are highly encouraged).
• Any specific state required to trigger the bug (e.g., "requires a logged-in user" or "requires specific browser settings").
• Raw HTTP Request/Response headers and body (text format preferred over screenshots)
• The potential impact of the vulnerability.
• Valid contact information.
• Your IP address used during testing (this helps us to locate your activity in our logs to verify the finding).

Optional: If you prefer to encrypt your communication, you may use our PGP key available [Here].

Our commitment

We will acknowledge receipt of your email, investigate the validity of the issue, and—if confirmed—work to implement a fix in accordance with our internal security policies. We will notify you once the vulnerability is resolved.

We are interested in technical vulnerabilities that impact the confidentiality, integrity, or availability of our systems. Examples include:

• Injection attacks (SQL, OS Command, etc.);
• Authentication or Session Management bypasses;
• Cross-Site Scripting (XSS) with demonstrated impact;
• Insecure Direct Object References (IDOR);
• Remote Code Execution (RCE);
• Server-Side Request Forgery (SSRF);
• Exposure of sensitive credentials or API keys.

We are primarily interested in technical vulnerabilities that have a clear, demonstrable impact on the confidentiality, integrity, or availability of DECTA’s systems and data. High-quality reports should focus on the following categories:

Server-Side Injection & Logic Flaws

• Injection Attacks: Including SQL injection, OS Command injection, NoSQL, and LDAP injection.
• Remote Code Execution (RCE): Any flaw allowing for arbitrary code execution on our servers.
• Server-Side Request Forgery (SSRF): Specifically those that allow access to internal metadata services or internal network resources.
• Broken Business Logic: Flaws in application logic that could lead to financial loss or unauthorized actions.

Access Control & Authentication

• Broken Authentication: Including session management bypasses, credential stuffing vulnerabilities, or multi-factor authentication  bypasses.
• Insecure Direct Object References (IDOR): Unauthorized access to data belonging to other users or sensitive system objects.
• Broken Function-Level Access Control: Gaining access to administrative or privileged functions from a standard user account.

Client-Side & Web Vulnerabilities

• Cross-Site Scripting (XSS): Specifically Stored or Reflected XSS that demonstrates a clear impact, such as session hijacking or sensitive data theft.
• Cross-Site Request Forgery (CSRF): On state-changing actions or sensitive endpoints.
• Open Redirects: Only when combined with another vulnerability to demonstrate a significant security impact.

Sensitive Data Exposure

• Exposed Credentials: Discovery of sensitive API keys, hardcoded passwords, or private certificates in publicly accessible areas or client-side code.
• Information Disclosure: Unintended exposure of Personally Identifiable Information, financial data, or sensitive technical metadata.
• Cloud Misconfigurations: Publicly accessible storage buckets (e.g., S3) or misconfigured cloud services containing DECTA data.

The following are excluded from this policy. Reports regarding these issues will typically be rejected:

• UI/UX bugs, spelling mistakes, or "best practice" recommendations without a working exploit.
• Missing HTTP security headers (e.g., CSP, HSTS) without a specific proof of concept.
• Email configuration settings (SPF, DMARC, DKIM) unless they allow verified spoofing.
• Disclosure of public information or software version numbers.
• Clickjacking on pages with no sensitive actions.
• Hypothetical issues that do not have a practical exploitation path.

We consider security research conducted consistent with this policy to be authorized conduct. If you act in good faith and comply with these guidelines, DECTA will not initiate legal action against you or support law enforcement investigations regarding your research. Furthermore, if a third party initiates legal action against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were authorized.

Please note: This Safe Harbor applies to legal action controlled by DECTA; we cannot authorize research on behalf of third parties.

By submitting a report, you consent to DECTA processing your personal data, such as your name and email address, for the purpose of communicating with you and validating your findings. If the vulnerability is verified, we may also use this information for public acknowledgment, provided we have your explicit consent.

We retain report details and contact information for as long as necessary to ensure the issue is resolved and to meet our internal auditing and compliance obligations. All personal data is processed in accordance with our general Privacy Policy. Under the GDPR, you have the right to access, correct, or request the deletion of your personal data at any time. For any privacy-related inquiries, please contact data.protection@decta.com.

DECTA reserves the right to modify or terminate this policy at any time. However, we commit that any changes will not be applied retroactively. Research conducted in good faith prior to a policy change will be evaluated under the version of the policy active at the time the research was performed.

We truly value the efforts of security researchers who help us keep our systems and customers safe. While we do not provide monetary compensation, we want to ensure your contributions are recognized.

Upon the successful resolution of a verified vulnerability, we are pleased to offer:

Public Acknowledgment - with your permission, we will include your name or handle in our Security Hall of Fame.

Letter of Recognition - we can provide a formal letter of appreciation to acknowledge your contribution to our security.

We thank you for your cooperation in protecting the DECTA ecosystem.