Show Up Show Out Security — Vulnerability Disclosure Policy

Effective date: 04/08/2026

Purpose
SUSOS is committed to reducing risk for users and organizations by handling vulnerability reports responsibly. This policy describes how security researchers and others can report vulnerabilities to us, how we handle reports about our own services (this site and SUSOS‑operated offerings), and how we conduct coordinated disclosure for vulnerabilities we discover in third‑party products and services within our CNA scope.

Scope
This inbox and policy apply to security issues in:

• The public website https://susos.co/ and related SUSOS‑operated web properties we control, and
• Other SUSOS‑operated services we explicitly identify as in scope (we will list them here if applicable).

Out of scope (without prior written authorization)

• Physical security, social engineering, or attempts against SUSOS personnel or customers
• Spam, denial-of-service, or resource exhaustion against production systems
• Issues requiring unlikely user interaction or purely theoretical impact without a practical attack path
• Third‑party services integrated into our site (report to the third party; we can help coordinate if needed)

How to report
Email help@susos.co with:

• Description of the issue and affected URL or component
• Steps to reproduce (proof‑of‑concept if available)
• Potential impact assessment (if known)
• Your contact information for follow‑up
• Encrypting email is welcome if you use PGP; publish a key at a stable URL if you adopt one.

What we ask of researchers

• Act in good faith and avoid privacy violations, data destruction, or persistent access
• Give us reasonable time to investigate and remediate before public disclosure
• Do not access, modify, or exfiltrate user data beyond what is necessary to demonstrate the issue

Our commitment
We will acknowledge receipt within 5 business days when possible. We will investigate validated reports, work on remediation where we control the code or configuration, and coordinate disclosure timelines with you. We may credit researchers in advisories if you want recognition.

Safe harbor
If you comply with this policy and applicable law, SUSOS will not pursue civil action or refer you for law enforcement action for accidental, good‑faith research that does not harm users or our operations. This safe harbor does not bind third parties.

Coordinated disclosure for third‑party products (CNA activity)
When SUSOS discovers vulnerabilities in third‑party products or services through authorized research or customer engagements, we follow coordinated disclosure practices consistent with the CVE Program and applicable CNA Rules. Public write‑ups for those issues, when published, will be listed on our Security advisories page: https://susos.co/security-advisories

Changes
We may update this policy; the “Effective date” at the top will reflect the latest version.