Security & Responsible Disclosure
If you've found a security issue on SoseCore, this page tells you exactly how to report it and what to expect back from us.
How to report
- Email: security@sosecore.com
- Response time: We acknowledge reports within 48 hours (usually sooner).
- Encryption: PGP key available on request — for now, plain text email is fine.
- Languages: English or Russian.
What's in scope
- The marketplace (
sosecore.com) - User & vendor accounts
- Authentication and session handling
- Payment integration with Paddle
- File upload & download flows
- Admin panel (if you have a way in — that itself is a finding)
- DoS / DDoS attacks
- Brute force or rate-limit probing
- Social engineering of staff or vendors
- Physical attacks
- Spam / phishing of users
- Bugs in third-party services (Paddle, Cloudflare, etc.) — report to them
- Reports without a reproducer (steps + payload)
Safe harbor
We won't pursue legal action against researchers who:
- Test only on accounts they own (or have explicit written permission to test).
- Don't access, modify, or destroy other users' data.
- Don't degrade service for others — no DoS, no load tests, no log spam.
- Report vulnerabilities privately first and don't disclose publicly before we ship a fix (give us reasonable time — typically 90 days).
What we'll do
- Acknowledge your report within 48 hours.
- Triage the issue and assign a severity (critical / high / medium / low).
- Provide regular status updates as we investigate and patch.
- Credit you in our Hall of Fame below (only with your consent — anonymous reports are welcome too).
- Notify you when the fix ships, so you can verify it.
Hall of Fame
No confirmed reports yet — the page is fresh. Be the first and we'll list you here with whatever attribution you like (handle, real name, link, or just "Anonymous").