Merge pull request #21 from Countly/ar2rsawseen-patch-1

ar2rsawseen · web-flow · commit 1b3ff1df77f9 · 2025-11-10T11:44:48.000+02:00
Revise SECURITY.md with vulnerability levels and rewards
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+Security is very important to us. If you discover any issue regarding security, please disclose the information responsibly by sending an email to security@count.ly and not by creating a GitHub issue.
+
+All software related security bugs with severity of medium and higher will be awarded accordingly with a bug bounty reward.
+
+# Vulnerability levels
+**Critical Severity:** software can be exploited at any time without any additional information
+
+**High Severity:** some additional information, access or action required (from the user, like clicking on injected link) for software to be exploited
+
+**Medium Severity:** the impact is limited (for example, can only access limited information) or requires special conditions to achieve it (when server is configured in specific way)
+
+**Low** - no bounty rewards, does not directly lead to vulnerability, but provides a possibility (like exposing software version, which can be mapped to specific vulnerabilities), old dependencies, server misconfiguration
+
+**Exclusion**
+
+Server specific configurations and deployment specific configurations due to on premise nature of our software.
+All server configuration related issues will be reported to related departments/parties/companies, but we cannot guarantee any bounty rewards for them.
