top of page
Homepage
Contact

Stellarscope security

Vulnerability Disclosure Policy

Version 1.0 | Effective: April 30, 2026

1. Introduction

Stellarscope Security™ is committed to maintaining the confidentiality, integrity, and availability of our systems and the trust of every client we serve. We recognize that security vulnerabilities can be discovered by anyone at any time — and we believe that responsible collaboration with the security research community makes everyone safer.

This Vulnerability Disclosure Policy (VDP) establishes clear guidelines for conducting good-faith vulnerability discovery and disclosure activities involving Stellarscope Security™ systems and data. It describes what is in scope, how to conduct authorized research, how to submit findings, and what you can expect from us in return.

If at any time you are uncertain whether your research activities are consistent with this policy, contact us before proceeding.

2. Scope

2.1 In-Scope Systems This policy applies to all internet-accessible systems and digital assets owned and operated by Stellarscope Security™, including but not limited to:

  • The Stellarscope Security™ primary website and all associated subdomains

  • Any client-facing portals, tools, or communications infrastructure operating under the Stellarscope Security™ brand

  • Email infrastructure directly associated with Stellarscope Security™ domains

  • Any publicly accessible systems directly owned and operated by Stellarscope Security™

2.2 Out-of-Scope Systems The following are explicitly excluded from this policy and are not authorized for testing:

  • Third-party platforms, vendors, or service providers used by Stellarscope Security™ but not owned or controlled by us — vulnerabilities in those systems should be reported directly to the respective vendor

  • Client systems, networks, or environments engaged through a Stellarscope Security™ consulting relationship

  • Any system not directly owned and operated by Stellarscope Security™

If non-public Stellarscope Security™ data is discovered on a third-party platform, please report it to us immediately regardless of whether that platform is in scope.

3. Authorized Research & Good Faith Guidelines

Stellarscope Security™ authorizes vulnerability research conducted in accordance with this policy. To qualify for safe harbor protections, researchers must adhere to the following:

You are authorized to:

  • Conduct passive reconnaissance of in-scope systems

  • Test for the presence of vulnerabilities using non-destructive methods

  • Use exploits only to the minimum extent necessary to confirm the existence of a vulnerability — no further

  • Submit findings via the disclosure process outlined in Section 5

You are required to:

  • Notify Stellarscope Security™ as soon as possible after discovering a potential vulnerability

  • Cease testing immediately upon encountering any sensitive data — including personally identifiable information (PII), financial information, proprietary business information, or client data — and report it without delay

  • Maintain strict confidentiality of all findings until Stellarscope Security™ has confirmed remediation or issued written authorization for disclosure

  • Provide sufficient time for remediation before any public disclosure (coordinated disclosure)

You are not authorized to:

  • Conduct denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against any in-scope system

  • Perform brute force credential attacks or automated scanning at a scale that degrades service availability

  • Attempt to access, modify, exfiltrate, destroy, or ransom any data beyond what is minimally necessary to confirm a vulnerability in good faith

  • Establish persistent access, backdoors, or command-and-control channels on any system

  • Pivot or laterally move from an identified vulnerability to access additional systems

  • Conduct physical security testing, social engineering, phishing, or vishing against Stellarscope Security™ personnel and/or clients

  • Submit automated scanner output without independent validation and demonstrated exploitability

  • Disclose vulnerability details to any third party without prior written consent from Stellarscope Security™

4. What to Submit — and What Not to Submit

Reportable & In-Scope Vulnerability Types:

  • Web Application

    • Injection vulnerabilities (SQL, command, LDAP, XML, template injection, etc.)

    • Authentication and session management flaws

    • Cross-site scripting (XSS) with demonstrated impact

    • Cross-site request forgery (CSRF) with demonstrated impact

    • Server-side request forgery (SSRF)

    • Insecure direct object references (IDOR) exposing sensitive data

    • Remote or local file inclusion vulnerabilities

    • Sensitive data exposure (credentials, PII, business data)

    • Broken access control or privilege escalation

    • Security misconfigurations with a demonstrable exploitation path

    • Business logic flaws with material security impact

    • Subdomain takeover vulnerabilities

    • Clickjacking on pages that perform sensitive or authenticated actions

    • Open redirects with demonstrated phishing or exploitation impact

    • XML external entity injection (XXE)

    • Insecure deserialization with demonstrable impact

    • Path traversal with demonstrated access to sensitive files

  • API Security

    • Broken object level authorization (BOLA/IDOR) in API endpoints

    • Excessive data exposure via API responses

    • Lack of rate limiting enabling enumeration, credential stuffing, or abuse

    • Improper API authentication or token handling

    • Mass assignment vulnerabilities

    • Broken function level authorization

    • Unrestricted API endpoint exposure

  • AI & Machine Learning

    • Prompt injection attacks against any AI-assisted features on Stellarscope systems

    • Indirect prompt injection via external or user-supplied content sources

    • Model inversion or training data extraction attempts against AI components

    • AI supply chain vulnerabilities including poisoned models or compromised integrations

    • Insecure AI API key exposure or misconfigured AI service endpoints

    • Agentic workflow abuse or unintended tool and function execution

    • LLM-assisted privilege escalation or unauthorized data access

    • Insecure model context protocol (MCP) configurations

    • Unsafe AI agent tool permissions or excessive agency

    • AI-enabled data leakage through system prompt extraction

  • Infrastructure & Cloud

    • Exposed cloud storage buckets or misconfigured cloud service assets

    • DNS misconfiguration including zone transfer vulnerabilities

    • Exposed administrative interfaces or internal services accessible externally

    • Leaked credentials, secrets, or API keys in public repositories, source code, or metadata

    • Server-side template injection (SSTI)

    • Remote code execution (RCE) via any vector

    • Unpatched or exploitable known vulnerabilities with confirmed exploitation path

  • Email, Domain, and Brand Integrity

    • Domain spoofing enabled by missing or misconfigured SPF, DKIM, or DMARC records

    • Subdomain takeover via dangling DNS records

    • Homograph or lookalike domain abuse under the Stellarscope Security™ brand

    • Email header injection vulnerabilities

    • Stellarscope Security™ brand impersonations, scams, illegitimate/unauthorized use of the Stellarscope Security™ brand, unauthorized use of trademarks, intellectual property, trade secrets, copyrights, or patents

Not Reportable — Out-of-Scope Finding Types: The following will not be accepted and do not qualify for acknowledgment:

  • Missing security headers (e.g., HSTS, CSP, X-Frame-Options) that do not lead directly to an exploitable vulnerability

  • SSL/TLS configuration issues (e.g., weak ciphers, certificate warnings) without a demonstrated exploitation path

  • Software version disclosure without accompanying proof of exploitability

  • Use of a known-vulnerable library without evidence of active exploitability in context

  • Missing best practices or hardening recommendations without a confirmed vulnerability

  • Presence of the autocomplete attribute on web forms

  • Insecure cookie settings on non-sensitive cookies

  • Clickjacking on pages that do not perform sensitive actions

  • Open redirects without demonstrated phishing or exploitation impact

  • Descriptive or verbose error messages without sensitive data exposure

  • Vulnerabilities that require physical access to a device

  • Vulnerabilities affecting only users of outdated or unsupported browsers

  • Self-XSS or attacks that require the victim to perform highly unlikely actions

  • Theoretical vulnerabilities without a working proof of concept

  • Typos, UI errors, or UX issues that do not constitute a security vulnerability

  • Reports generated exclusively by automated scanning tools without manual validation

5. How to Submit a Report

All vulnerability disclosures must be submitted via email to: security@stellarscopesecurity.com

To enable efficient triage and response, please include the following in your submission:

  • Vulnerability description: A clear explanation of the vulnerability, its location, and its potential impact if exploited

  • Reproduction steps: A detailed, step-by-step walkthrough sufficient for our team to independently reproduce the finding

  • Proof of concept: Supporting evidence such as screenshots, videos, HTTP request/response captures, or non-destructive proof-of-concept code

  • Affected system(s): The specific URL, endpoint, parameter, or asset involved

  • Severity assessment: Your estimated severity rating (Critical, High, Medium, Low, Informational) and rationale

  • Your contact information: Name for correspondence and acknowledgment purposes

Incomplete reports may delay triage. We encourage researchers to provide as much detail as possible.

6. Our Commitments to Researchers

Upon receipt of a qualifying vulnerability report, Stellarscope Security™ commits to the following:

  • Acknowledgment: We will confirm receipt of your report as soon as possible

  • Initial Assessment: We will provide an initial severity determination and triage decision as soon as possible

  • Transparency: We will keep you reasonably informed of remediation progress and notify you upon resolution

  • Coordinated Disclosure: We will work with you to agree on an appropriate public disclosure timeline following remediation

  • Recognition: With your permission, we will publicly acknowledge your contribution in our Researcher Hall of Fame upon confirmation of a valid, remediated finding

  • No Bounties: Stellarscope Security™ does not offer monetary compensation at this time. By submitting a report, you waive all claims to financial compensation.

Duplicate submissions or findings already known to Stellarscope Security™ at the time of report do not qualify for Hall of Fame recognition.

7. Researcher Hall of Fame

Stellarscope Security™ publicly recognizes researchers who responsibly disclose valid, previously unknown vulnerabilities in accordance with this policy. Recognition is granted with the researcher's explicit consent and is awarded upon confirmation of a valid finding and completed remediation.

Hall of Fame listings coming soon.

8. Safe Harbor

Stellarscope Security™ will not pursue civil or criminal action against security researchers who discover and disclose vulnerabilities in good faith, provided the researcher:

  • Complies fully with the terms of this policy

  • Takes no action to exploit, monetize, or publicly disclose findings outside of the coordinated disclosure process

  • Makes no attempt to access data beyond what is minimally necessary to confirm the vulnerability

  • Causes no intentional harm to Stellarscope systems, data, or clients

Should legal action be initiated by a third party against a researcher for activities conducted in accordance with this policy, Stellarscope Security™ will make this authorization known.

This policy does not authorize research activities that violate applicable federal, state, or local law. Researchers are responsible for ensuring their activities remain lawful and ethical.

9. Policy Updates

This policy may be updated periodically to reflect changes in scope, process, or applicable guidance. The version number and effective date at the top of this document will reflect the most current revision. Material changes will be noted in the version history.

10. Contact

Security Disclosures: security@stellarscopesecurity.com

Stellarscope Security™ Houston, TX

bottom of page