Vulnerability Disclosure Policy

Version 1.2 | Effective Date: January 1, 2026

This policy governs good-faith security research conducted by DataWizual. Our mission is to identify systemic risks in CI/CD workflows and infrastructure while ensuring responsible, non-intrusive coordination with software vendors.

In Scope

  • • Publicly accessible code repositories and configurations
  • • CI/CD workflow definitions
  • • Infrastructure-as-Code files (Terraform, CloudFormation, etc.)
  • • Dependency manifests (package.json, requirements.txt, etc.)

Out of Scope

  • • Private infrastructure systems
  • • Live exploitation or interface misuse
  • • Social engineering or phishing
  • • Denial-of-Service testing

Safe Harbor

This policy is intended to provide Safe Harbor under applicable laws for researchers acting in good faith and within the terms described herein. DataWizual will not pursue legal action against good-faith security research consistent with this policy.


Response & Timeline

DataWizual commits to acknowledge reports within 3–7 business days. Findings will remain confidential until a fix is available or a maximum of 90 days has elapsed, unless mutually agreed otherwise.

1. Research Principles

Non-Intrusive: Analysis is limited to public artifacts.
No Exploitation: We never execute payloads against live systems.
Privacy-First: We do not collect or store private data.

2. Disclosure Coordination

  1. Private notification via official security channels.
  2. Provision of detailed findings and remediation advice.
  3. Findings remain confidential for 90 days or until a fix is released.

3. Safe Harbor

We consider research conducted under these guidelines to be authorized. DataWizual will not initiate legal action against parties who coordinate in good faith.

Security Contact

eldorzufarov66@gmail.com

Standard response time: 3–7 business days.