At ActorDo, we are committed to maintaining the highest level of security, integrity, and trust for our users, partners, and systems.
Read more about Actor Data Security and Privacy Policy
Our Vulnerability Disclosure Program (VDP) is designed to provide a clear, safe, and responsible way for security researchers, ethical hackers, and the community to report security vulnerabilities in our products and services.
This program encourages cooperation and responsible disclosure, enabling us to identify, fix, and minimize risks before they can be exploited.
Scope
In-scope systems / assets include (but are not strictly limited to):
- ActorDo web applications and APIs
- Backend services, microservices, and cloud infrastructure
- Internal systems, as permitted under pre-approval (see contact)
Out-of-scope systems / assets include:
- Third-party services, integrations, or dependencies not built by ActorDo
- Physical attacks / hardware (e.g. data centers, devices unless explicitly authorized)
- Social engineering, phishing, or impersonation attacks (unless explicitly authorized in writing)
- Non-security bugs or feature requests
- Any testing that may cause service disruption or denial of service
To qualify, the vulnerability should:
- Be present in the latest publicly released version (or officially released beta)
- Lead to a security impact (e.g. data leakage, privilege escalation, remote code execution, bypass of controls)
Guidelines & Rules of Engagement
When participating, please follow these rules to remain eligible for recognition or rewards:
- Do no harm
- Do not delete or modify data, or interrupt normal operations.
- Avoid disruptive actions (e.g. launching DDoS attacks, or causing service degradation).
- Limit your probing
- Do not attempt to access or manipulate non-public data beyond what is strictly necessary to demonstrate the vulnerability.
- Where possible, use a test environment or nonproduction account.
- Confidentiality
- Do not disclose findings publicly (blogs, social media, etc.) before ActorDo has had a reasonable time to respond and remediate (see “Disclosure Timing”).
- Do not share or sell the information to third parties.
- No social engineering
- Phishing, impersonation, or similar techniques are out of scope unless explicitly permitted.
- Respect privacy and legal constraints
- Do not violate privacy laws or access sensitive personal data beyond what is necessary to demonstrate the flaw.
- Comply with applicable local laws, regulations, and best practices.
- Disclosure & coordination
- Allow us time (typically 90 days) to address the issue before public disclosure, unless otherwise agreed.
- If you think earlier disclosure is warranted (e.g. risk of exploitation), please notify us so we can coordinate a shorter timeline.
Violations of these rules (e.g. destructive actions, public disclosure without coordination) may render a submission ineligible for reward or public recognition.
Reporting a Vulnerability
What to include in your report
Send your report to alex@actordo.com and include:
- A short description of the issue
- Steps to reproduce or proof of concept
- Affected system or URL
- (Optional) your name or handle for credit
We’ll acknowledge your report within 5 business days and keep you updated as we work on a fix. Not every submission will get an acknowledgement, if it’s not considered to be valid.
In your submission, please mark whether you wish to remain anonymous or be credited publicly.
Recognition & Rewards
- We may offer thank-you rewards or public recognition based on impact and clarity.
- Rewards are discretionary and depend on the severity and quality of the report.
- Duplicate or low-impact findings may not be eligible.
Safe Harbor
If you follow this policy in good faith, you are protected from legal action related to your research.
Thank you for helping us keep ActorDo secure.