Security Policy & Coordinated Disclosure

1. Scope

This policy covers security issues in the assets we publish and operate directly:

• spicemodo.com and all subdomains we operate
• Content and code served from the spicemodo.com origin
• Email addresses at the spicemodo.com domain

Out of scope

• Third-party services we embed (for example Google Analytics, Google Fonts, Cloudflare). Report issues in those products to their vendors.
• Social-engineering attacks against staff, customers, or suppliers.
• Physical security of our offices or warehouses.
• Findings that require the researcher to compromise a user's device or account first.
• Denial-of-service testing, volumetric attacks, or any active attempt to degrade availability.
• Issues already public or previously reported.

2. How to Report

Send a single email describing the issue to [email protected]. Please include:

• A clear description of the issue and its security impact
• Step-by-step reproduction instructions, ideally with a minimal proof-of-concept
• The URL(s), request(s), or component(s) affected
• Any logs, screenshots, or videos that help us reproduce the issue
• How you would like to be credited (or whether you prefer to stay anonymous)

3. Our Commitments (SLA)

• Acknowledgement: within 3 business days of receiving a report at [email protected].
• Triage update: within 10 business days, confirming validity, severity, and a tentative remediation timeline.
• Remediation targets: Critical within 14 days of confirmation, High within 30 days, Medium within 60 days, Low best-effort.
• Coordinated disclosure: once a fix is live, we will confirm with you and agree a public disclosure window (typically 30 days after fix).
• Credit: with your consent, we will credit you on this page and in any public write-up.

4. Safe Harbor

When a researcher complies with this policy, acts in good faith, and avoids harming users or data, SpiceModo:

• Will not pursue or support legal action against you for your research
• Will not report your activity to law enforcement purely on the basis of the report
• Will work with you to understand and resolve the issue quickly

We cannot, and do not, grant safe harbor for activity that breaks the law or harms third parties. If a legal issue arises, please contact us first so we can help clarify scope before escalation.

5. Rules of Engagement

• Only test assets listed under Scope. Do not pivot into third-party services.
• Do not attempt to access, modify, or destroy data that does not belong to you.
• Do not exfiltrate data beyond the minimum needed to demonstrate impact.
• Use your own test accounts or clearly labelled test data where possible.
• Delete any sensitive data accessed during testing once you have confirmed the issue.
• Give us a reasonable opportunity to remediate before any public disclosure.

6. What We Do Not Pay

SpiceModo does not currently operate a paid bug-bounty programme. We offer public credit and, for notable reports, a small thank-you (such as a pack of our flagship spices). We reserve the right to introduce a bounty programme in the future.

7. Languages

Reports are accepted in English. Our team is based in Hyderabad, India (IST / UTC+05:30); responses typically arrive within business hours.

8. Public Key & Encryption

A PGP key for encrypted reports will be published at /.well-known/pgp-key.txt in a future update. Until then, please reach out at [email protected] and we will coordinate an out-of-band channel if the report is sensitive.

9. Changes

This policy may be updated to reflect operational changes. Material changes will bump the "Last reviewed" date above. The machine-readable companion at /.well-known/security.txt follows RFC 9116 and is kept in sync.