Vulnerability Disclosure Policy

Effective date: March 1, 2024

TeliApp Corporation ("us", "we", or "our") operates the teliapp.com website and associated services (the "Service").

This page outlines our policy for receiving and addressing vulnerability reports related to our Service, services that we provide, and services that we manage. We value the security community and believe responsible disclosure benefits everyone.

Definitions

  • Service

    Service includes the teliapp.com website, software, APIs, and cloud infrastructure operated by TeliApp Corporation.

  • Vulnerability

    A security weakness that could potentially be exploited to compromise security or privacy.

  • Researcher

    Any individual or entity that responsibly reports potential vulnerabilities.

Reporting Process

We encourage security researchers to share vulnerabilities with our security team:

  • Submit Reports To

    cvey@teliapp.com (PGP key available on request)

  • Required Information

    • Description of vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested remediation (optional)

Scope

This policy applies to vulnerabilities in:

  • TeliApp software
  • TeliApp web services (teliapp.com)
  • TeliApp Cloud API endpoints

Out of Scope:

  • Third-party services not directly operated by TeliApp
  • Social engineering or physical attacks
  • Denial-of-service vulnerabilities

Safe Harbor

We will not pursue legal action against researchers who:

  • Make good faith efforts to avoid privacy violations
  • Do not exfiltrate data beyond what's needed to demonstrate vulnerability
  • Give us reasonable time to address issues before public disclosure
  • Comply with all applicable laws

Our Commitments

  • Response Timeline

    • Initial response within 3 business days
    • Status updates every 7 business days
    • Resolution within 90 days (unless legally restricted)

  • CVE Assignment

    As a CVE Numbering Authority (CNA), we will assign CVEs to valid vulnerabilities and publish them in the CVE List.

  • Acknowledgments

    Researchers may be credited in security advisories upon request.

Policy Updates

We may update this policy from time to time. The "Effective date" at the top will indicate revisions.

Contact Us

For security-related inquiries:

  • Email: cve@teliapp.com