Sign Up Login
Legal

Vulnerability Disclosure Policy

Malum welcomes good-faith security research. This Vulnerability Disclosure Policy ("VDP") describes how researchers can report security issues to us, what we commit to in return, and what testing is in scope. We follow ISO/IEC 29147 principles for coordinated disclosure.

Last modified 05/12/2026 Malum Legal Team

Table of Contents

  1. Our commitment
  2. Scope
  3. Out of scope
  4. Rules of engagement
  5. How to report
  6. What happens next
  7. Safe harbour
  8. Recognition and rewards
  9. Contact

Our commitment

If you report a vulnerability to us in good faith and in line with this policy we will:

  • Acknowledge receipt within two (2) business days.
  • Provide a triage update within seven (7) business days, including a CVSS-aligned severity assessment.
  • Keep you informed of progress and the expected remediation timeline.
  • Credit you publicly once the issue is fixed, where you wish to be credited.
  • Not pursue or support legal action against you for activity that complies with this policy.

Scope

The following assets are in scope:

  • malum.co and all subdomains operated by Malum.
  • The Malum public API (api/v3) and its documentation.
  • The hosted-checkout flow, including custom-domain checkouts served via the Malum Cloudflare Worker template.
  • Malum-branded merchant plugins (WooCommerce, EDD, phpShop) distributed from /merchant/service/downloads.
  • Malum mobile or desktop apps published under the Malum identity, where applicable.

Out of scope

  • Third-party infrastructure where the bug resides outside Malum's control (e.g. Stripe, Cryptomus, Cloudflare). Report these to the third party directly.
  • Findings that are theoretical, lack a proof-of-concept, or depend on a victim performing implausible actions.
  • Self-XSS, missing security headers without a working exploit, missing rate limits on non-sensitive endpoints, descriptive error messages, version disclosure of public software, vendor TLS or DNS configuration recommendations.
  • Findings from automated scanners without manual validation.
  • Social engineering, phishing of Malum staff or customers, physical attacks, and any non-technical attack vector.
  • Denial-of-service or volumetric testing.

Rules of engagement

  • Do not access, modify, or destroy data that does not belong to you. If you inadvertently encounter personal data, stop and tell us.
  • Use only your own test accounts. Do not attempt to brute-force credentials or take over real accounts.
  • Do not run automated scanners against production endpoints at a rate that could impact availability.
  • Do not publicly disclose a finding before we have remediated it and agreed a disclosure date with you. Coordinated disclosure timelines are typically 90 days, extendable by mutual agreement for complex issues.
  • Do not extort, threaten, or demand payment as a condition of disclosure — doing so excludes you from the safe harbour below.

How to report

Send reports to [email protected]. We support encrypted submissions; our PGP public key fingerprint is published at https://malum.co/.well-known/security.txt. Include:

  • A clear description of the issue and its impact.
  • Step-by-step reproduction instructions, including URLs and HTTP requests.
  • Proof-of-concept code, screenshots, or video where helpful.
  • The IP addresses you tested from, the user-agent, and approximate test times so we can correlate logs.
  • Your preferred name or handle for public credit, if any.

What happens next

  1. Triage: we validate, score, and assign the report.
  2. Remediation: engineering develops, tests, and rolls out a fix. Indicative timelines — critical: <72 hours; high: 7 days; medium: 30 days; low: 90 days.
  3. Verification: we ask you to confirm the fix resolves the issue.
  4. Disclosure: we publish an advisory and credit you, on a timeline agreed with you.

Safe harbour

Malum considers good-faith security research conducted within this policy to be authorised under applicable computer-misuse laws. We will not pursue civil action or initiate criminal complaints against researchers who:

  • Make a good-faith effort to comply with this policy.
  • Stop testing and notify us as soon as they discover a vulnerability or obtain access to unauthorised data.
  • Do not exploit a vulnerability beyond what is necessary to demonstrate it.
  • Do not violate the privacy of others, disrupt our systems, destroy data, or impair user experience.

If a third party initiates legal action against a researcher acting within this policy, we will make it known that the activity was authorised under this VDP.

Recognition and rewards

Malum does not currently operate a paid bug-bounty programme; however, at our discretion we award swag, statement-credits, and public recognition for valid reports. A formal bounty programme may be launched in future and will be linked from this page.

Contact

[email protected]. For non-security issues, contact [email protected].

Last modified 05/12/2026