Vulnerability Disclosure Policy
CtrlOne ("Company", "we", "our", or "us") values the security of our products, infrastructure, customers, partners, and users. Security researchers, ethical hackers, customers, and members of the security community play an important role in helping us identify security vulnerabilities before they can be exploited. This Vulnerability Disclosure Policy ("VDP") explains how security vulnerabilities should be reported to CtrlOne, what types of testing are permitted, our Safe Harbor commitment, and how we handle vulnerability reports. Effective Date: 14 July 2026.
Last updated: July 14, 2026
Applicability
This policy applies to the following, including all official domains and subdomains operated by CtrlOne:
- CtrlOne Cloud Platform
- CtrlOne Web Portal
- CtrlOne Agent
- CtrlOne Enterprise Console
- CtrlOne Online Services
- CtrlOne APIs
- CtrlOne Installer
- CtrlOne Licensing Platform
- CtrlOne Documentation
- CtrlOne-owned websites
Our Commitment
We appreciate responsible security research. If you discover a genuine security vulnerability, we commit to:
- Investigating every legitimate report
- Treating researchers professionally
- Working collaboratively
- Keeping communication open throughout remediation
- Fixing verified vulnerabilities as quickly as reasonably possible
- Publicly acknowledging researchers (if requested)
- Never taking legal action against researchers acting in good faith under this policy
Responsible Disclosure Principles
Researchers should:
- Act honestly
- Minimize risk
- Protect customer privacy
- Avoid disrupting production systems
- Report vulnerabilities confidentially
- Allow us reasonable time to remediate before public disclosure
Safe Harbor
If you comply with this Policy, CtrlOne considers your research to be authorized, conducted in good faith, and intended to improve security. CtrlOne will not initiate civil or criminal legal action against researchers who:
This Safe Harbor applies only to activities conducted within the limits of this Policy. It does not authorize actions that violate applicable laws.
- Follow this policy
- Avoid customer impact
- Report vulnerabilities responsibly
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Do not access, alter, or retain customer data unnecessarily
Legal Compliance
This Policy is governed by:
International researchers must also comply with their local laws.
- Information Technology Act, 2000
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (where applicable)
- Digital Personal Data Protection Act, 2023
- Indian Penal Code and Bharatiya Nyaya Sanhita (where applicable)
- Other applicable Indian laws
In Scope
The following assets are in scope:
- Websites — https://ctrlone.online, www.ctrlone.online, and all official CtrlOne subdomains
- Products — CtrlOne Agent, CtrlOne Enterprise Console, CtrlOne Cloud Dashboard, CtrlOne Windows Client, Licensing Services, Authentication Services, APIs, Update Infrastructure, Installer Packages
- APIs — all production APIs owned and operated by CtrlOne
- Authentication — login, MFA, session management, authorization, access controls
- Cloud Infrastructure — services directly operated by CtrlOne
Out of Scope
The following are NOT authorized:
- Denial of Service — DoS, DDoS, stress testing, resource exhaustion
- Physical Attacks — office access, device theft, hardware tampering
- Social Engineering — phishing, vishing, impersonation, employee manipulation
- Spam — bulk emails, automated submissions
- Third-Party Services — issues affecting cloud providers, payment gateways, CDN providers, email providers, external integrations, browser vendors, or operating systems must be reported to the respective vendor
- Customer Systems — testing customer-managed infrastructure is prohibited
- Vulnerabilities Requiring Compromised Devices — issues requiring rooted systems, jailbroken devices, malware, or local administrator compromise are generally outside scope unless they demonstrate a flaw in CtrlOne itself
Examples of Valid Vulnerabilities
Examples include:
- Remote Code Execution
- Authentication Bypass
- Authorization Bypass
- Privilege Escalation
- SQL Injection
- Command Injection
- XXE
- SSRF
- CSRF
- Stored XSS
- Reflected XSS
- IDOR
- Sensitive Data Exposure
- Insecure Direct Object References
- Session Fixation
- Session Hijacking
- Weak Cryptography
- Broken Authentication
- Privilege Misconfiguration
- Arbitrary File Upload
- API Authentication Issues
- Token Leakage
- Broken Access Controls
- Business Logic Security Issues
Low-Risk Issues Generally Not Accepted
Examples include:
- Missing HTTP headers
- Banner disclosure
- Version disclosure
- Clickjacking without impact
- Weak TLS ciphers without exploitability
- Missing SPF/DKIM/DMARC
- Rate-limit suggestions without abuse potential
- Self-XSS
- Logout CSRF
- Duplicate reports
- Theoretical attacks without proof
- Missing best-practice recommendations
Rules of Engagement
Researchers must:
- Use only accounts they own
- Avoid accessing other users' data
- Avoid modifying data
- Avoid deleting data
- Avoid persistent access
- Stop testing immediately if sensitive customer information is encountered
- Notify CtrlOne immediately
What We Ask Researchers NOT To Do
Do NOT:
- Download customer databases
- Exfiltrate information
- Intercept customer traffic
- Modify production data
- Create backdoors
- Install malware
- Pivot into third-party systems
- Use ransomware
- Conduct brute-force attacks
- Perform password spraying
- Disrupt service availability
Reporting a Vulnerability
Please include:
- Title
- Description
- Affected product
- Version number
- URL
- Component
- Vulnerability type
- Severity assessment
- Reproduction steps
- Screenshots
- Logs
- Proof-of-Concept (PoC)
- Suggested remediation
- Researcher's name (optional)
- Contact information
Where to Report
Please report vulnerabilities through our security email: security@ctrlone.online.
If encrypted communication is required, request our PGP public key in your initial email.
Do not report security vulnerabilities through general customer support or social media channels.
Response Timeline
Our target service levels are as follows. These are targets and may vary depending on complexity.
- Acknowledgement — within 2 Business Days
- Initial Review — within 5 Business Days
- Technical Validation — within 10 Business Days
- Status Updates — every 14 Days
- Critical Fix — as soon as reasonably practicable
- Public Disclosure Coordination — typically within 90 Days, unless both parties agree otherwise
Coordinated Disclosure
We request researchers:
Unless actively exploited or legally required, we generally target disclosure after remediation or approximately 90 days by mutual agreement.
- Keep reports confidential
- Allow us reasonable remediation time
- Coordinate public disclosure with us
Bug Bounty
At present, CtrlOne does NOT operate a public Bug Bounty Program. Submission of a vulnerability does not create any obligation to provide monetary rewards, gifts, discounts, licenses, employment, or compensation.
At our sole discretion, we may choose to:
- Publicly acknowledge researchers
- Issue appreciation certificates
- Offer recognition in our Security Hall of Fame
Duplicate Reports
Only the first valid report received for a specific vulnerability will normally be considered for acknowledgement.
Researcher Recognition
With permission, verified researchers may be listed on our Security Hall of Fame, including name, organization, handle, country, and date. Researchers may also request anonymity.
Confidentiality
Security reports are treated as confidential. Researchers agree not to publicly disclose vulnerability details, proof-of-concept, exploit code, screenshots, or technical findings until CtrlOne authorizes disclosure or coordinated disclosure timelines are reached.
Privacy
Information submitted under this Policy is processed in accordance with the CtrlOne Privacy Policy and applicable privacy laws, including the DPDP Act, 2023.
Export Control
Researchers are responsible for complying with applicable export control, sanctions, and cybersecurity laws in their jurisdiction.
Policy Changes
CtrlOne reserves the right to modify this Policy at any time. Updated versions will be published on our website with a revised effective date.
Contact
Security Team — Email: security@ctrlone.online — Website: https://ctrlone.online
Disclaimer
This Vulnerability Disclosure Policy does not grant permission to perform activities prohibited by law. Researchers remain responsible for ensuring their activities comply with all applicable legal requirements. CtrlOne reserves all rights not expressly granted under this Policy.