Responsible Disclosure
At Simplex, we highly value the contributions of cybersecurity researchers and the broader community in helping us maintain strong security standards.
If you discover a potential security vulnerability in any of our websites or tools, we kindly ask that you report it to us before making any public disclosure. This allows us sufficient time to assess and remediate the issue appropriately. This process is known as "responsible disclosure."
Please do not share any details regarding the vulnerability with third parties at any time.
How to Report a Vulnerability
If you identify a security vulnerability, please follow these steps:
- Contact us as soon as possible via email at adm@simplexanalytics.com.br.
- Include the following details in your report:
- The nature of the vulnerability discovered.
- The service, tool or application affected.
- A comprehensive explanation of the issue, along with any relevant supporting materials (e.g., screenshots, logs, or other files).
Providing your contact information is entirely optional. If you do include your details, we will only use them to communicate with you regarding your report, if necessary.
Reporting Terms
By submitting a vulnerability report to Simplex, you agree to the following conditions:
- Simplex may use the information provided to resolve security issues and improve our systems.
- Any suggested changes or improvements derived from your report will become the property of Simplex.
- You confirm that:
- You have not and will not exploit the discovered vulnerability in any way beyond responsible reporting.
- You have not and will not conduct security testing with malicious intent against Simplex systems.
- You have not and will not access, alter, misuse, or delete any data obtained through the vulnerability.
- You have not and will not attempt physical security tests on Simplex premises.
- You acknowledge that reporting vulnerabilities does not entitle you to compensation, financial or otherwise.
Examples of Considered Vulnerabilities
We will investigate reports related to, but not limited to:
- Injection and deserialization flaws (e.g., NoSQL, SQL, LDAP injection, command injection, object deserialization).
- Authentication and access control weaknesses.
- Exposure of sensitive data.
- Cross-site scripting (XSS) vulnerabilities.
- Cross-site request forgery (CSRF) attacks.
- Server-side request forgery (SSRF).
- Unvalidated redirects.
- API misconfigurations or improper access controls.
Our Response Process
Once a vulnerability is reported, we will handle it as follows:
- Acknowledgment of receipt within five (5) business days.
- Confidential handling of your report, ensuring your details are not shared with third parties.
- Please note that Simplex does not offer financial rewards for vulnerability disclosures. Reports are submitted on a voluntary basis without expectation of compensation.
We appreciate your efforts in helping us keep our systems secure.