Datacendia is committed to the security of our platform and our customers' data.
We welcome and appreciate security researchers who help us identify vulnerabilities responsibly.
Scope
In Scope
- Datacendia platform (datacendia.com, app.datacendia.com)
- Datacendia APIs
- Datacendia mobile applications
- Open-source Datacendia projects on GitHub
Out of Scope
- Third-party services and integrations
- Social engineering attacks against Datacendia employees
- Physical security of Datacendia offices
- Denial of service attacks
- Spam or social engineering techniques
How to Report
Please provide:
- Description: Clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact: Your assessment of the potential impact
- Proof of Concept: Screenshots, videos, or code (if applicable)
- Your Contact: How we can reach you for follow-up
Example Report
Subject: [Security Report] SQL Injection in /api/v1/search
Description:
The search endpoint is vulnerable to SQL injection via the 'query' parameter.
Steps to Reproduce:
1. Navigate to /api/v1/search
2. Send POST request with body: {"query": "'; DROP TABLE users; --"}
3. Observe database error in response
Impact:
An attacker could read, modify, or delete database contents.
Proof of Concept:
[Screenshot attached]
Contact:
researcher@example.com
Our Commitment
Response Timeline
| Action |
Timeline |
| Acknowledgment |
Within 2 business days |
| Initial Assessment |
Within 5 business days |
| Status Update |
Every 7 days until resolved |
| Resolution Target |
90 days (severity-dependent) |
Severity-Based Response
| Severity |
Description |
Target Resolution |
| Critical |
Remote code execution, data breach |
7 days |
| High |
Authentication bypass, privilege escalation |
30 days |
| Medium |
XSS, CSRF, information disclosure |
60 days |
| Low |
Minor issues, best practice violations |
90 days |
Safe Harbor
Datacendia will not pursue legal action against security researchers who:
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
- Only interact with accounts you own or have explicit permission to test
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Report vulnerabilities promptly and do not disclose publicly before we've had reasonable time to address them
- Do not use automated scanning tools that generate excessive traffic
Researcher Guidelines
✅ Do
- Report vulnerabilities as soon as you discover them
- Provide detailed information to help us reproduce the issue
- Give us reasonable time to fix issues before public disclosure
- Act in good faith to avoid harm
❌ Don't
- Access, modify, or delete data belonging to other users
- Perform actions that could harm service availability
- Use automated tools that generate excessive load
- Publicly disclose before we've addressed the issue
Recognition
We maintain a Security Hall of Fame to recognize researchers who help improve our security.
What We Offer
- Public acknowledgment (with your permission)
- Datacendia swag for significant findings
- Reference letter for your security portfolio
- Priority consideration for security roles at Datacendia
Note: Datacendia does not currently operate a paid bug bounty program.
We offer recognition and gratitude for responsible disclosures.
Exclusions
The following are generally not considered vulnerabilities:
- Missing security headers that don't lead to exploitable vulnerabilities
- Clickjacking on pages with no sensitive actions
- CSRF on logout or other non-sensitive functions
- Missing rate limiting (unless exploitable)
- Disclosure of software versions
- Theoretical vulnerabilities without proof of concept
- Issues requiring physical access to a user's device
- Issues in third-party components (report to the vendor)
Contact
Security Reports: security@datacendia.com
General Security Questions: compliance@datacendia.com
© 2026 Datacendia, Inc. All rights reserved.