Vulnerability Disclosure Policy
1. Scope
This policy covers vulnerabilities discovered in:
- SphereMail web application —
spheremail.securespherelabs.com - SphereMail API endpoints —
/api/* - SphereMail authentication system —
/auth/* - SecureSphereLabs main site —
securespherelabs.com
Out of scope:
- Third-party services (VirusTotal, AbuseIPDB, Razorpay, Stripe)
- Social engineering attacks against SecureSphereLabs staff
- Physical security
- Denial of service attacks
- Theoretical vulnerabilities without demonstrated impact
2. How to Report
Please include in your report:
- Clear description of the vulnerability and its potential impact
- Step-by-step reproduction instructions
- URL, endpoint, or component affected
- Any proof-of-concept code or screenshots (non-destructive only)
- Your name/handle (for acknowledgement, if desired)
3. Our Commitments
- We will acknowledge your report within 48 hours
- We will provide an initial assessment and severity classification within 7 business days
- We will keep you informed of remediation progress
- We will notify you when the vulnerability has been patched
- With your permission, we will acknowledge your contribution publicly
4. Safe Harbour
If you conduct security research in compliance with this policy, we commit to:
- Not pursuing civil or criminal action against you for good-faith research
- Not referring you to law enforcement for good-faith research
- Working with you to understand and resolve the issue quickly
"Good-faith research" means: you access only test accounts or data you own, you do not disrupt service availability, you do not access or exfiltrate other users' data, and you report the vulnerability to us promptly without public disclosure until we have had a reasonable time to remediate.
5. Authorised Testing Boundaries
- You may test using your own registered account only
- You must not access, modify, or delete data belonging to other users
- You must not perform testing that could degrade service availability
- You must not use automated scanning tools without prior written permission
- Testing of payment infrastructure (Razorpay, Stripe) must be conducted only in sandbox/test mode
6. Disclosure Timeline
We ask that you allow us a 90-day coordinated disclosure window before making any public disclosure, to allow time for patching and user notification where necessary. We will work with you to expedite this timeline for critical vulnerabilities.
These documents were last updated on May 26, 2026. For questions, contact legal@securespherelabs.com. · Back to SphereMail
SphereMail