Responsible Disclosure Guidelines

We ask that all researchers:

• Act in good faith and avoid actions that could harm StaffSavvy, our customers, or their data

• Avoid accessing, modifying, or deleting customer information

• Only test against accounts or systems you own or are explicitly authorised to test

• Avoid service disruption, spam, social engineering, or denial of service activity

• Give us reasonable time to investigate and remediate issues before public disclosure

Customer Security Concerns

If you are a customer reporting suspicious activity, account concerns, or suspected compromise, rather than conducting security research, please contact our support team: StaffSavvy Support

Security incidents are prioritised and handled as quickly as possible.

In Scope

Examples of vulnerabilities we are interested in include:

• Authentication or authorisation bypasses

• Access control vulnerabilities

• Cross-site scripting (XSS)

• Cross-site request forgery (CSRF)

• SQL injection (SQLi)

• Server-side request forgery (SSRF)

• Remote code execution (RCE)

• Sensitive data exposure

• Privilege escalation

• Business logic vulnerabilities with security impact

Submit a Vulnerability Report

Out of Scope

The following are generally considered out of scope unless accompanied by a demonstrated security impact:

• Denial of service attacks or traffic flooding

• Social engineering or phishing attacks

• Physical attacks against infrastructure or personnel

• Missing security headers without exploitability

• Reports based solely on outdated software versions

• Self-XSS requiring user self-compromise

• Spam, rate limiting, or CAPTCHA bypasses without material impact

• Vulnerabilities affecting third-party services outside StaffSavvy control

• Automated scanner output without a reproducible finding