Vulnerability Disclosure Policy

LAST REVIEW DATE (mm/dd/yyyy):  02/03/2025

Introduction

At Unefi LTD, security is a top priority, and we are committed to protecting our systems, customers, and stakeholders. We recognize the importance of responsible disclosure of security vulnerabilities and encourage ethical security researchers to report potential security issues.

Scope

This policy applies to all digital assets owned, operated, or maintained by Unefi LTD including websites, applications, APIs, and infrastructure. [To whom is this policy applicable? Please specify]

Reporting a Vulnerability

A security vulnerability is an unintended flaw in software code or system that leaves the code or system open to the potential for exploration in the form of unauthorized access or malicious behaviour. If a security vulnerability is discovered or suspected, it must be reported by following these guidelines:

• Immediately contact info@optimumretailing.com with a detailed description of the vulnerability. If you believe there is an ongoing exploitation of the vulnerability, call IT immediately and follow our Incident Response Protocol.
• Include steps to reproduce the vulnerability, potential impact, and any relevant supporting materials (e.g., screenshots, logs, or proof-of-concept code).
• Do not publicly disclose the vulnerability until we have had reasonable time to address it.
• Comply with all applicable laws and avoid violating user privacy, destroying data, or disrupting services.

Steps Upon Receiving a Report

Upon receiving a vulnerability report, we will:

• Assess and verify the issue internally.
• Provide updates on the status of the remediation process.
• Publicly recognize responsible disclosures if agreed upon.

Safe Harbor

We will not take legal action or punitive measures against security researchers who report vulnerabilities in good faith and who follow this policy. However, researchers must:

• Avoid accessing, modifying, or deleting user data.
• Not disrupt or degrade services.
• Not exploit vulnerabilities beyond what is necessary for verification.

Out of Scope Issues

The following are generally outside the scope of this policy:

• Denial of Service (DoS) attacks.
• Social engineering or phishing attacks.
• Physical security vulnerabilities.
• Use of automated scanning tools that cause disruption.

Recognition and Rewards

While we do not currently operate a formal bug bounty program, we may provide public recognition or other forms of appreciation for valid security findings.

Contact

For all security-related inquiries or to report vulnerabilities, please reach out to our security team at info@optimumretailing.com.

Policy Updates

We reserve the right to update this policy at any time. Please check back periodically for any changes.