Vulnerability Disclosure Policy

Introduction

 This policy aims to provide clear guidance for independent security researchers on the standards to follow when conducting vulnerability discovery activities and how we expect to receive security vulnerability reports. It specifies the applicable systems and types of research, the method of submitting vulnerability reports, and the waiting period before publicly disclosing a vulnerability. We encourage you to contact us to report any potential vulnerabilities in our systems.

 

Policy

We encourage and welcome good-faith security research. If you conduct your research lawfully, in good faith, and in accordance with this policy, we will treat your actions as authorized and appreciate your efforts in helping us improve security. For research conducted in compliance with this policy, we will not pursue legal action or report to law enforcement, and we will actively cooperate with you to resolve potential issues.

We will also respect and protect your identity information and will not disclose it externally without your explicit permission. Please note that this authorization and protection only apply to systems and services operated or explicitly authorized by our company, and not to third-party platforms. Research that goes beyond the scope of this policy or violates applicable laws may be subject to legal action.

 

Guidelines

1. Do not damage systems or steal data: Use vulnerabilities only as necessary to verify their existence. Once you have obtained sufficient information to confirm a security issue, do not attempt to maintain persistent access, perform enumeration, steal internal data, establish command-line access, or exploit the vulnerability to laterally attack other systems. If you encounter sensitive data (such as personal information, financial information, proprietary data, or trade secrets), stop testing immediately and notify us only.
2. Respect others privacy: Do not violate the privacy of Akulaku employees or customers, do not access data that does not belong to you, do not conduct non-technical attacks (such as social engineering, phishing, or unauthorized access to infrastructure or employees), do not disrupt production systems or tamper with data.
3. Cooperate: Once a vulnerability is discovered, you must promptly cooperate with us through our coordinated disclosure process. Reports can be submitted using the email provided below.
4. Timely notification: Notify us as soon as you identify a real or potential security issue, without delaying its handling.
5. Vulnerability disclosure: After submission, please allow us a reasonable amount of time to fix the vulnerability before any public disclosure. Recognition and timing of disclosure are solely determined by us, and disclosure plans may be revoked at any time. Testing must not violate the law.

 

Testing methods

The following testing methods are not authorized:

• Network denial-of-service (DoS or DDoS) or any other tests that could damage systems or data.
• Physical testing (e.g., accessing offices, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing.

Scope

This policy applies to the following systems and services:

• Application systems:
  martech.akulaku.com
  ec-vendor.akulaku.com
  ec-api.akulaku.com
  ec-mall.akulaku.com
  ec-oapi.akulaku.com
  developer.akulaku.com
  ec-console.akulaku.com
  sa.akulaku.com
  erp.akulaku.com
  crm.akulaku.com
• Mobile application:
  Akulaku Android application: https://play.google.com/store/apps/details?id=io.silvrr.installment

Please note that some systems using the “akulaku” domain or its subdomains may be managed by partners, affiliates, or independent third parties. These assets are not included in the testing scope of this policy unless explicitly designated as eligible testing targets by the official Akulaku Security Team in this policy or through other formal channels.

Except for the assets explicitly listed above, all other domains and third-party–hosted resources are outside the scope of this policy.
If you are unsure whether a system is within the scope, please contact security@akulaku.com first.

Vulnerability Report

Information you submit will be used only for defensive purposes—to mitigate or remediate cybersecurity vulnerabilities. Unless you give explicit permission, we will not share your name or contact information.

We accept vulnerability reports by email: security@akulaku.com. We will acknowledge receipt within 5 business days.

Suggested report contents:

• Describe the position of the vulnerability and its potential impact.
• Provide detailed steps to reproduce the vulnerability (PoC scripts or screenshots are helpful).

 

Questions and Inquiries

If you have any questions regarding this policy, please send an email to security@akulaku.com. We also welcome your suggestions for improvement.