1. Introduction
Trusted Tech Africa is committed to the security of the SafetyMeter platform and the protection of our users. We recognise the valuable role that security researchers and the wider community play in identifying vulnerabilities. This Responsible Disclosure Policy sets out how we ask researchers to report vulnerabilities and what we commit to in return.
2. Scope
This policy applies to security vulnerabilities found in:
- safetymeter.org and all subdomains
- SafetyMeter's public API endpoints
- SafetyMeter's web application and its client-side code
The following are out of scope:
- Third-party services used by SafetyMeter (report these to the relevant vendor)
- Denial-of-service attacks of any kind
- Social engineering or phishing attacks targeting our team
- Physical attacks against our infrastructure
- Automated scanning that impacts Platform availability
- Vulnerabilities in outdated browser versions or non-supported platforms
- Missing security headers that do not represent exploitable vulnerabilities
3. How to Report
Please send your vulnerability report to:
Email: info@trustedtechafrica.com
Subject line: Security Vulnerability Report — SafetyMeter
For sensitive reports, you may request our PGP key to encrypt your submission.
4. What to Include
To help us triage and reproduce your finding, please include:
- A clear description of the vulnerability and its potential impact
- The URL, endpoint, or component affected
- Step-by-step reproduction instructions
- Proof-of-concept code or screenshots (if applicable)
- Your assessment of severity (Critical / High / Medium / Low)
- Any suggested mitigation or fix
5. Our Commitments
When you report a vulnerability in accordance with this policy, we commit to:
- Acknowledge receipt of your report within 5 business days
- Confirm whether we can reproduce the issue within 10 business days
- Provide regular updates on our progress toward a fix
- Notify you when the vulnerability has been resolved
- Credit you (with your permission) in our security acknowledgements
- Not pursue legal action against you under applicable computer crime laws, provided you comply with this policy
6. Safe Harbour
We consider security research conducted in accordance with this policy to be authorised under our Terms of Use. If your research is conducted in good faith and complies with the rules below, we will not seek to prosecute or pursue civil action against you.
To qualify for safe harbour, your research must:
- Not access, modify, or exfiltrate data beyond the minimum necessary to demonstrate the vulnerability
- Not cause harm to the Platform, its infrastructure, or its users
- Not disclose the vulnerability publicly before we have had a reasonable opportunity to address it (coordinated disclosure)
- Not exploit the vulnerability for any purpose beyond demonstrating it to us
7. Coordinated Disclosure
We request a 90-day coordinated disclosure window from the date we confirm the vulnerability. We will work to resolve confirmed high and critical vulnerabilities within this timeframe. If we cannot remediate within 90 days, we will negotiate an extension in good faith and will inform you of our progress.
We ask that you do not disclose the vulnerability publicly until we have confirmed the fix is live, or the coordinated disclosure window has elapsed, whichever comes first.
8. Bug Bounty
SafetyMeter does not currently operate a paid bug bounty programme. We offer public acknowledgement and genuine gratitude for responsibly disclosed vulnerabilities. We will review the feasibility of a formal bounty programme as the platform grows.
9. Legal
This policy does not give you permission to access accounts, data, or systems belonging to other users. Any testing that risks exposing user data, disrupting service availability, or causing harm is strictly prohibited. We reserve the right to report bad-faith security "research" to law enforcement.