Security Disclosure Policy

Last updated: June 28, 2026

Overview

Secunit Mercantile LLC takes the security of our website and the trust of our clients seriously. If you believe you have found a security vulnerability in our systems, we encourage you to tell us so we can fix it. We commit to working with security researchers in good faith and resolving confirmed issues promptly.

This policy follows the coordinated vulnerability disclosure framework described in RFC 9116. A machine-readable security.txt is available at /.well-known/security.txt.

Scope

This policy applies to security vulnerabilities in:

• secunit.io and all subdomains (e.g., subdomain.secunit.io);
• Secunit Mercantile's publicly accessible web applications and APIs; and
• Configuration or software we directly control.

The following are out of scope:

• Third-party services we do not control (Cloudflare, Resend, Proton, etc.);
• Social engineering or phishing attacks against our personnel;
• Denial-of-service (DoS/DDoS) attacks;
• Automated scanner findings without demonstrated proof of exploitability; and
• Physical security.

How to Report

Send a detailed report to [email protected]. If the report contains sensitive details, please encrypt it using one of our public keys listed below. For an additional contact channel, you may also reach us at [email protected].

Please include the following in your report:

• A clear description of the vulnerability and its potential impact;
• The affected URL, endpoint, or component;
• Step-by-step reproduction instructions or a proof-of-concept (PoC);
• Any screenshots, HTTP traces, or supporting evidence; and
• Your name or alias and preferred contact method for follow-up.

Our Commitments

• Acknowledgment — We will acknowledge receipt of your report within 3 business days.
• Assessment — We will assess the severity and scope within 10 business days and keep you informed of our progress.
• Remediation — We will work to remediate confirmed vulnerabilities as quickly as the severity warrants, prioritizing critical and high findings.
• Coordination — We will coordinate any public disclosure timeline with you. We ask for a reasonable embargo period (typically 90 days) to allow time for patching.
• No legal action — We will not pursue legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy.

Researcher Guidelines

We ask that you:

• Avoid accessing, modifying, or deleting data that does not belong to you;
• Avoid disrupting our services or the experience of other users;
• Limit your testing to the minimum necessary to confirm the vulnerability;
• Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate it; and
• Act in good faith — research conducted in compliance with this policy will be treated as authorized.

Encryption Keys

For sensitive communications, please use one of the following GPG public keys to encrypt your report.

ECC Key (preferred)

UID: [email protected] — held by the maintainer who controls [email protected].

• secunit.io/security/ecc.txt
• Proton Drive mirror

RSA Key

• secunit.io/security/rsa.txt
• Proton Drive mirror

Recognition

We do not currently offer a monetary bug bounty program. However, we genuinely appreciate the work of security researchers and will publicly acknowledge your contribution (with your permission) once a vulnerability is resolved.

Contact

Security inquiries: [email protected]
Backup contact: [email protected]