Security & Responsible Disclosure
We take platform security seriously. If you find a vulnerability, please report it responsibly so we can verify, fix, and protect users.
1) Security contact
- Security email: security@catalo.id
- For billing/refund/account access issues that are not security issues, please use Contact or email support@catalo.id .
2) How to report a vulnerability
Email the security contact and include enough detail so we can reproduce and validate the issue.
- Affected URL/feature and step-by-step reproduction steps.
- Impact: what could an attacker do?
- Safe, non-destructive proof of concept, if available.
- Your preferred contact for follow-up.
3) Our response
- We aim to confirm receipt of reports within 3 business days.
- Triage and severity assessment are usually completed within 7 business days depending on complexity.
- We may ask for additional details to validate the report.
- Fixes are released based on severity and risk.
4) Responsible disclosure guidelines
To protect users and the platform, please follow these guidelines during testing and disclosure.
- Non-destructive testing with minimal data exposure.
- Private reporting to the security contact.
- Clear reproduction steps and evidence.
- Accessing, changing, or deleting data that is not yours.
- Disrupting the service, such as DDoS, load testing, spam, or brute force.
- Social engineering, phishing, or extortion.
5) Scope
Scope includes web properties and services operating on the domain catalo.id.
If you are unsure whether a target is in scope, ask first through the security email.
6) security.txt
We publish a standard security contact file, security.txt, to make reporting easier.
7) Contact
Security: security@catalo.id · Support: support@catalo.id