Responsible Disclosure

Last updated: January 2026

Overview

At Ceremonio, we take the security of our platform and our customers' data seriously. We value the work of security researchers who help us identify and address potential vulnerabilities. This Responsible Disclosure Policy provides guidelines for security researchers to report vulnerabilities in our systems.

Scope

This policy applies to:

  • The Ceremonio web application (app.ceremonio.com)
  • The Ceremonio API
  • The Client Portal
  • Associated subdomains used for service delivery

This policy does not apply to our marketing website (ceremonio.com) or any third-party services integrated with our platform.

Prohibited Activities

When conducting security research, you must not:

  • Perform physical security testing or social engineering attacks against our employees or customers
  • Send unsolicited messages, including phishing attempts
  • Execute denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Introduce malware, ransomware, or any malicious software
  • Run automated vulnerability scans that could degrade service performance or trigger security alerts
  • Attempt to access, modify, or delete data belonging to other users
  • Exfiltrate, download, or store customer data beyond what is necessary to demonstrate the vulnerability
  • Establish persistent access to our systems
  • Pivot from a vulnerability to access other systems or networks
  • Test third-party applications or services connected to our platform
  • Publicly disclose vulnerabilities before we have had reasonable time to address them

Permitted Activities

Security researchers may view or temporarily store Ceremonio data only to the extent necessary to document and demonstrate the presence of a potential vulnerability. Any such data must be deleted immediately after the vulnerability is reported.

Reporting Guidelines

When you discover a potential vulnerability:

  • Stop testing immediately upon discovery
  • Do not exploit the vulnerability beyond what is necessary to confirm its existence
  • Report the vulnerability to us as soon as possible
  • Provide sufficient detail for us to reproduce and understand the issue
  • Delete any data obtained during your research
  • Allow us reasonable time to investigate and address the issue before any public disclosure

What to Include in Your Report

A good vulnerability report includes:

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Affected URLs, endpoints, or components
  • Any tools or scripts used (if applicable)
  • Screenshots or proof-of-concept (without including sensitive data)
  • Your suggested remediation (optional)

Our Commitment

When you report a vulnerability in good faith and in accordance with this policy, we commit to:

  • Acknowledge receipt of your report within 3 business days
  • Provide an initial assessment within 10 business days
  • Keep you informed of our progress in addressing the issue
  • Not pursue legal action against researchers who follow this policy
  • Credit you for the discovery (if desired) once the issue is resolved

Out of Scope

The following issues are generally considered out of scope:

  • Issues that require physical access to a user's device
  • Issues affecting outdated browsers or platforms
  • Social engineering attacks
  • Spam or social media account issues
  • Denial of service vulnerabilities
  • Content spoofing or text injection without demonstrated impact
  • Missing security headers without demonstrated exploit
  • Clickjacking on pages without sensitive actions
  • Rate limiting issues on non-authentication endpoints

Contact

To report a security vulnerability, please email:

security@ceremonio.com

Please include "Security Vulnerability Report" in the subject line. If you need to share sensitive information, we can provide a PGP key upon request.

Legal

This policy is intended to be compatible with good faith security research. We will not pursue legal action against researchers who discover and report vulnerabilities in accordance with this policy. However, we reserve the right to take legal action against individuals who conduct research outside the scope of this policy or with malicious intent.