Kreditz Responsible Disclosure Policy

Kreditz considers research conducted under this policy to be authorized. We will not pursue civil or criminal legal action against you, nor support such action by third parties, provided that you:

• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Operate within the scope of this policy.

• Communicate with us exclusively through the official channels defined below.
• Keep the vulnerability confidential until we have resolved the issue.
  

The following services are in scope for this policy:

• Production Application: https://vista.kreditz.com
• Sandbox Application: https://sandbox-vista.kreditz.com
• API v4:
  • https://vista.kreditz.com/api/v4
  • https://sandbox-vista.kreditz.com/api/v4

Out of Scope:

• Marketing website (www.kreditz.com) and other static content pages.
• Third-party providers or services integrated with Kreditz.

Acknowledgement: We aim to acknowledge receipt of your report within 72 hours.

Remediation: We aim to resolve critical security issues within 30 business days. We will keep you updated on our progress.

Recognition: We sincerely appreciate your efforts in helping us secure our platform. While we do not currently offer a bug bounty program or a public Hall of Fame, we value your contribution to the security community.

To ensure safety and compliance, the following are strictly prohibited:

• Social Engineering: Phishing or social engineering of Kreditz employees, contractors, or customers.
• Denial of Service: Any attack intended to degrade or disrupt service (DoS/DDoS).
• Data Privacy: Accessing, downloading, or modifying data that does not belong to you. If you encounter PII (Personally Identifiable Information) or financial data, stop immediately and report the issue.
• Physical Attacks: Attacks against Kreditz physical offices or our cloud infrastructure providers.

Thank you for helping keep Kreditz and our customers safe.