Vulnerability Disclosure Policy

Introduction

Sabal Technology Inc. (Sabal) runs a vulnerability disclosure program in accordance with this policy in an effort to promptly address security issues. Financial data is personal and sensitive, and we take the responsibility of stewarding this information very seriously. We maintain a security.txt file following the IETF RFC-9116 standard to streamline the reporting process. While performing testing, always act in the best interest of our customers, respect their privacy, and act within the bounds of the law.

If you have any questions about this policy or concerns about the security of Sabal, please contact security@sabal.finace.

Reporting an Issue

If you have concerns or believe you have found a vulnerability in the in-scope property, please send an email to security@sabal.finace. If you need to share sensitive information, make a request in the email for a Proton Mail or Signal contact.

Regardless of contact method, please include the following information:

a summary of the issue,
an estimate of the customer impact (likelihood of occurrence and severity if exposed),
steps to reproduce the issue,
a description of your environment (OS, Browser and version),
whether or not you would like to remain anonymous, and
how you would like to receive updates.

None of your information or the fact that you submitted a report will be shared outside of Sabal without your consent. Even within Sabal, the information will only be shared with individuals needed to triage and resolve the issue.

Next Steps

Once an issue is reported, Sabal will investigate the issue and respond with a confirmation within five business days to the contact method you provided. If the issue is deemed significant, we will immediately work to resolve the issue and update you with our progress.

While you wait for a response, please do not make the vulnerability public, and grant us appropriate time to resolve or remediate the issue. All communication with our customers, vendors, and the general public will be handled by Sabal.

Scope

This section describes security testing scope. When in doubt, contact security@sabal.finace with questions.

Included

Good-faith testing of the following domains:

www.sabal.finance
app.sabal.finance

You must only test using anonymous sessions, your personal account, or with explicit written consent of the account holder involved in the investigation.

Excluded

Never test on another person’s account without explicit written consent stating it is appropriate. Even if granted permission, never extract or store information for the account.

Additionally, the following items are out-of-scope:

denial of service attacks, automated scanning, or other attacks that could result in service degradation;
social engineering attacks on Sabal employees, customers, contractors, vendors, or other related parties;
modifying, deleting, or exfiltrating data;
permission escalation within our applications, cloud environment, or data stores.

Reward

Sabal does not have a bug bounty program and does not pay financial bonuses or bounties for reporting bugs or vulnerability issues. With your consent, we will credit the finding to you in our public security acknowledgements page, referenced in our security.txt file.

Safe Harbor

Sabal will not initiate legal action against good-faith actors acting within the terms of this policy. If legal action is initiated by a third-party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.