Central Group Vulnerability Disclosure Policy

The safety and security of our customers' data, and the reliability of our products and services, are of utmost importance to Central Group. Therefore, we aim to design and make products and services with the highest levels of security and reliability. Despite our best efforts, due to the highly complex and sophisticated nature of our products and services, vulnerabilities and errors may still be present in our products and services.

This policy describes Central Group's approach to requesting and receiving reports related to potential vulnerabilities and errors in its products and services from those that interact with such products and services.

Customers, users, researchers, partners and any other person that interacts with Central Group's products and services are encouraged to report identified vulnerabilities and errors with such products and services.

The preferred method for contacting Central Group regarding such vulnerabilities and errors is by using the form present on this page.

Central Group highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. Reporting of such vulnerabilities and errors will contribute to improving the security and reliability of our product and services. However, this program will not provide any cash reward or financial incentive of any kind for the detection and/or resolution of the validated vulnerability.

Please note that supplying your contact information with your report is entirely voluntary and at your discretion. Central Group will make use of all reports that are submitted; both those submitted anonymously and those with contact information. If you do submit your contact information, Central Group will only use such information to get in touch with you regarding clarifying the details of your report, if that is necessary. Otherwise, please visit Central Group general privacy policy to see how we respect the privacy of your personal data: Central Group Privacy Policy

By making a report to Central Group using the form on this page, or otherwise communicating a report to Central Group, regarding vulnerabilities and errors, you agree to the following terms:

Central Group may use your report for any purpose deemed relevant by Central Group, including without limitation, for the purpose of correcting any vulnerabilities and errors that are reported and that Central Group deems to exist and to require correction. To the extent that you propose any changes and/or improvements to a Central Group product or service in your report, you assign to Central Group all use and ownership rights to such proposals.

You confirm to Central Group that:

  • You have not exploited or used in any manner, and will not exploit or use in any manner (other than for the purposes of reporting to Central Group), the discovered vulnerabilities and/or errors;
  • You have not engaged, and will not engage, in testing/research of systems with the intention of harming Central Group, its customers, employees, partners or suppliers;
  • You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered;
  • You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;
  • You have not tested, and will not test, the physical security of any property, building, plant or factory of Central Group;
  • You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Central Group product or service that lead to your report.
  • You agree not to disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that a vulnerabilities and/or errors has been reported to Central Group.
  • Central Group does not guarantee that you will receive any response from Central Group related to your report. Central Group will only contact your regarding your report if Central Group deems it necessary.
  • You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, for making such report, and without any expectation or requirement that the vulnerabilities and/or errors reported are corrected by Central Group.

Out-of-Scope / Non-Qualifying Findings

The following findings are generally considered out of scope unless the researcher can demonstrate clear, realistic, and material security impact against an in-scope asset. Reports that only identify a theoretical weakness, scanner output, configuration preference, or best-practice deviation without practical exploitability may be closed as informational or not applicable.

  • Unverified automated scanner results
  • Reports based only on tool output without manual validation
  • SSL/TLS issues (e.g. expired certificates, best practices)
  • Missing or weak security headers without practical impact
  • Missing cookie flags on non-sensitive cookies
  • Missing Secure, HttpOnly, or SameSite flags without demonstrated impact
  • HTTP Strict Transport Security Header (HSTS)
  • Presence of autocomplete attribute on web forms
  • Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
  • Mixed content warnings that do not expose sensitive data or enable account compromise
  • Invalid or missing email security records (e.g. SPF, DKIM, DMARC)
  • Email spoofing reports without demonstrated delivery or security control bypass
  • Reports with attack scenarios requiring MITM or physical access to victim's device
  • Social engineering, phishing, vishing, smishing, or impersonation
  • Attacks requiring the user to paste code into the browser console
  • Self-XSS without impact to other users
  • Clickjacking without a sensitive state-changing action
  • CSRF on logout or other low-impact actions
  • CORS misconfiguration without access to sensitive data
  • Content spoofing or text injection without security impact
  • Username or email enumeration without practical account-compromise impact
  • Missing rate limits without a realistic abuse scenario
  • Brute-force claims without practical exploitability
  • Denial-of-service or resource-exhaustion testing
  • Version disclosure without a working exploit
  • Server, framework, CDN, WAF, or technology fingerprinting
  • Public metadata, comments, or non-sensitive error messages
  • Public files such as robots.txt, sitemap.xml, security.txt, or manifest files
  • Public source maps without secrets or sensitive source code
  • Directory listings containing only public files
  • Reports affecting only outdated browsers or unsupported clients
  • Issues requiring rooted, jailbroken, debug, or non-standard devices
  • Third-party service findings unless caused by our implementation
  • Best-practice recommendations without a concrete security boundary violation
  • Reports without clear reproduction steps
  • Reports without demonstrated confidentiality, integrity, availability, authentication, authorization, or business-logic impact
Submit a Vulnerability Report