Security & Responsible Disclosure
We take platform security seriously. If you discover a vulnerability, please report it responsibly so we can verify, fix, and protect users.
1) Security contact
- Security email: security@catalo.id
- For billing/refunds/account access (not security), please use Contact or email support@catalo.id .
2) How to report a vulnerability
Email the security contact and include enough detail for us to reproduce and validate the issue.
- Affected URL/feature and step-by-step reproduction steps.
- Impact: what could an attacker do?
- A safe, non-destructive proof-of-concept, if available.
- Your preferred contact information for follow-up.
3) Our response
- We aim to acknowledge receipt within 3 business days.
- Triage and severity assessment usually happens within 7 business days depending on complexity.
- We may request additional details to validate the report.
- Fixes are released based on severity and risk.
4) Responsible disclosure guidelines
To protect users and the platform, please follow these guidelines during testing and disclosure.
- Non-destructive testing with minimal data exposure.
- Private reporting to the security contact.
- Clear reproduction steps and evidence.
- Accessing, modifying, or deleting data that is not yours.
- Disrupting service (DDoS, load testing, spam, brute force).
- Social engineering, phishing, or extortion.
5) Scope
Scope includes web properties and services operated on the domain catalo.id.
If you are unsure whether a target is in scope, ask first via the security email.
6) security.txt
We publish a standard security contact file (security.txt) to make reporting easier.
7) Contacts
Security: security@catalo.id · Support: support@catalo.id