Vulnerability Disclosure Policy

SMRT Payments values the security of our systems and our customers’ data. We encourage responsible disclosure of vulnerabilities and will not pursue legal action against researchers who follow this policy in good faith.

Scope

In scope: publicly accessible domains under smrtpayments.com (including subdomains such as legal.smrtpayments.com and crm.smrtpayments.com) and our public APIs. Out of scope: third‑party services, vendors, and physical premises.

Ground Rules

• Do not access, modify, or exfiltrate data that does not belong to you. Use test accounts where possible.
• No service disruption: avoid actions that degrade availability (e.g., DDoS, brute force, spam).
• No privacy harm: do not submit PII, card numbers, or credentials in reports—redact or provide minimal reproductions.
• Give us reasonable time to remediate before public disclosure (see timelines below).
• Comply with applicable laws and this policy at all times.

Testing Not Permitted

• Physical attacks, social engineering, or phishing of employees or customers
• Ransomware, backdoors, persistence mechanisms, or lateral movement
• Automated scanning that overwhelms services or generates excessive traffic
• Denial‑of‑service (DoS/DDoS), spam, or SMS flooding

How to Report

Email [email protected] with the following:

• Affected domain/endpoint and a clear description of the issue
• Steps to reproduce, proof‑of‑concept, and impact assessment
• Your testing environment (browser, OS, tools) and timestamps
• Any relevant request/response samples (headers only; redact secrets)

If you require encryption, request our PGP key at [email protected].

Response Targets

• Acknowledgement: within 2 business days
• Initial assessment: within 5 business days
• Remediation ETA: shared after triage based on severity

Recognition & Rewards

We do not operate a paid bug bounty at this time. With your permission, we may credit researchers on a security acknowledgements page after remediation.

Safe Harbor

If you comply with this policy, we will not initiate legal action against you for security research activities conducted in good faith that are consistent with this policy. This includes claims under the Computer Fraud and Abuse Act (CFAA) and similar laws. If a third party initiates legal action, we will make it known that your actions were conducted pursuant to this policy.

Effective: January 1, 2025 · Last Updated: September 29, 2025