GEOPERA

Responsible Disclosure Policy

Table of Contents

1. Purpose

Geopera Pty Ltd ("Geopera," "Company," "we," "our," or "us") prioritizes the security of our geospatial platform, processing systems, and user data. This Responsible Disclosure Policy ("Policy") provides security researchers ("you," "your," "yours") with clear guidelines for conducting vulnerability discovery activities and outlines our recommended procedures for reporting potential vulnerabilities.

We value the contributions of security researchers who help maintain the integrity and security of our systems through responsible disclosure of potential vulnerabilities discovered in good faith.

2. Scope of Systems

Included Systems

This Policy covers all internet-facing systems owned, operated, or controlled by Geopera, including:

  • Geopera's core processing platform
  • Web applications and APIs
  • Satellite data processing systems
  • Geospatial analysis tools
  • Authentication systems
  • Data storage systems
  • User management interfaces
  • Billing systems
  • Integration endpoints

Excluded Systems

This Policy does not cover:

  • Third-party satellite data providers
  • External mapping services
  • Partner integration systems
  • Content delivery networks
  • Cloud infrastructure providers
  • Third-party payment processors
  • External authentication providers
  • Systems not owned by Geopera

3. Scope of Vulnerabilities

Included Vulnerabilities

We're particularly interested in vulnerabilities affecting:

  • Geospatial processing pipelines
  • Data access controls
  • Authentication mechanisms
  • API security
  • Spatial data integrity
  • Processing workflows
  • User isolation
  • Resource allocation
  • Data privacy
  • System configurations

Excluded Vulnerabilities

This Policy excludes:

  • General security best practices without proof-of-concept
  • Physical security compromises
  • Social engineering attempts
  • Denial of service attacks
  • Rate limiting on non-authenticated endpoints
  • Known zero-day vulnerabilities with patches less than 30 days old
  • Model behavior or output issues
  • Missing security headers without impact
  • Brute force attacks on non-owned accounts
  • Basic SSL/TLS configuration issues
  • Clickjacking on non-sensitive pages

4. How to Submit a Report

If you discover a security vulnerability, please submit a detailed report to [email protected] including:

Required Information

  • Vulnerability type and severity
  • Technical details and impact
  • Step-by-step reproduction steps
  • Affected system/URL
  • Supporting evidence (POC, screenshots, logs)
  • Potential impact assessment
  • Suggested remediation

Submission Guidelines

  • One vulnerability per report
  • Clear, detailed descriptions
  • Reproducible steps
  • Supporting evidence
  • Disclosure timeline plans
  • Contact information (optional)

5. Research Guidelines

We consider research conducted in good faith when you:

Acceptable Behavior

  • Test only identified in-scope systems
  • Minimize system impact
  • Report promptly and privately
  • Provide clear documentation
  • Follow responsible disclosure
  • Respect user privacy
  • Maintain confidentiality
  • Delete any collected data
  • Wait for our response before disclosure

Prohibited Actions

  • Accessing unauthorized data
  • Modifying system data
  • Disrupting services
  • Compromising privacy
  • Social engineering
  • Automated scanning
  • Physical attacks
  • Denial of service
  • Unauthorized access
  • Data exfiltration

6. Our Commitments

When you submit a vulnerability report, we will:

Our Response

  • Acknowledge receipt within 2 business days
  • Evaluate findings promptly
  • Keep you updated on progress
  • Validate reported issues
  • Address confirmed vulnerabilities
  • Protect your identity
  • Credit your contribution (with permission)
  • Provide safe harbor protection

7. Timeline

  • Initial response: 2 business days
  • Preliminary assessment: 5 business days
  • Validation: 10 business days
  • Remediation plan: 15 business days
  • Regular updates until resolution

8. Safe Harbor

We will not pursue legal action against researchers who:

  • Act in good faith
  • Follow this policy
  • Report promptly
  • Maintain confidentiality
  • Avoid harmful actions
  • Comply with laws
  • Make unconditional disclosures

9. Special Considerations

Geospatial-Specific Guidelines

  • Report unauthorized access to restricted geographical data
  • Alert us to sensitive location exposure
  • Notify about privacy-impacting vulnerabilities
  • Report processing pipeline vulnerabilities
  • Flag unauthorized data access capabilities

Critical Systems

  • Additional care required when testing:
  • Satellite data processing systems
  • Real-time analysis pipelines
  • Emergency response systems
  • Critical infrastructure analysis tools
  • High-security customer environments

10. Contact Information

Security Team

Email: [email protected]

11. Policy Updates

  • We reserve the right to update this Policy at any time
  • Updates will be:
  • Published on our website
  • Dated with last modification
  • Previous versions archived
  • Existing reports honored under original policy
  • Users notified of material changes