Responsible Disclosure Policy

Security Vulnerability Reporting and Responsible Disclosure Guidelines

Responsible Disclosure Policy

Effective Date: November 22, 2025 | Last Updated: January 20, 2026

1. Introduction

Coastal Rush is committed to maintaining the security and integrity of our systems and protecting our customers' data. We appreciate the assistance of security researchers in helping us identify and resolve security vulnerabilities.

This Responsible Disclosure Policy outlines our process for receiving, investigating, and responding to security vulnerability reports.

2. Scope

This policy applies to security vulnerabilities discovered in:

  • Coastal Rush website (coastalrush.co.za)
  • Mobile applications (Customer, Driver, Vendor apps)
  • API endpoints and integrations
  • Third-party services operated on behalf of Coastal Rush

3. Guidelines for Responsible Disclosure

3.1 Do's

  • Report vulnerabilities promptly after discovery
  • Provide clear, detailed reproduction steps
  • Include proof-of-concept code or demonstrations
  • Allow reasonable time for us to investigate and fix
  • Keep vulnerability details confidential until resolved
  • Follow up on your report status

3.2 Don'ts

  • Do not exploit vulnerabilities beyond proof-of-concept
  • Do not access, modify, or delete data without authorization
  • Do not perform denial-of-service attacks
  • Do not disclose vulnerabilities publicly before resolution
  • Do not spam our systems or abuse the reporting process
  • Do not attempt social engineering attacks

4. How to Report a Vulnerability

4.1 Reporting Process

  1. Send your report to security@coastalrush.co.za
  2. Include detailed information about the vulnerability
  3. Provide steps to reproduce the issue
  4. Specify the impact and severity of the vulnerability
  5. Include your contact information for follow-up

4.2 Required Information

  • Description of the vulnerability
  • Steps to reproduce
  • Proof-of-concept (if applicable)
  • Potential impact and severity
  • Your contact details
  • Date and time of discovery

5. Our Response Process

5.1 Acknowledgment

We will acknowledge receipt of your report within 48 hours and provide an initial assessment timeline.

5.2 Investigation

Our security team will investigate the reported vulnerability and assess its validity and impact.

5.3 Resolution

  • Valid Vulnerabilities: We will work to resolve the issue promptly
  • Invalid Reports: We will explain why the report doesn't qualify
  • Updates: We will keep you informed of progress

5.4 Timeline

  • Critical: Resolution within 7 days
  • High: Resolution within 30 days
  • Medium: Resolution within 90 days
  • Low: Resolution within 180 days

6. Recognition and Rewards

We appreciate security researchers who help improve our systems. While we don't currently offer a formal bug bounty program, we may provide recognition for significant findings:

  • Public acknowledgment (with permission)
  • Coastal Rush swag or vouchers
  • Hall of fame recognition
  • Priority consideration for future programs

7. Legal Considerations

Important: This policy is not a license to probe, scan, or test our systems. Any unauthorized access or activity may violate applicable laws. We will not pursue legal action against researchers who follow this policy in good faith.

8. Contact Information

Security Team
Email: security@coastalrush.co.za
Phone: +27 68 237 6024
Response Time: Within 48 hours
PGP Key: Available upon request

Last updated: January 20, 2026