Vulnerability Disclosure Policy (VDP)

Last-updated: 2025-04-17-2025

Amazing.com Inc.—including the Amazing.com and Zoof.com / Amazing Intelligence platforms—values the security of our customers, partners, and data. We welcome responsible security research and appreciate the community’s help in keeping our systems safe.

If you believe you have identified a vulnerability in one of our assets, please report it as described below. We currently do not pay monetary bounties, but we are happy to acknowledge valid contributions.

1. Scope

In-Scope

Out-of-Scope
  • amazing.com and all first-party subdomains
  • zoof.com and all first-party subdomains
  • Official mobile apps published under the “Amazing.com” developer account
  • Third-party services we do not own (e.g., payment processors, LMS vendors)
  • Denial-of-Service (DoS) or volumetric testing

 

Unsure if something is in scope? Ask us first at security@amazing.com.

2. Rules of Engagement

  • No privacy violations, data destruction, or modification.
  • No social-engineering, phishing, or physical exploits.
  • No unsolicited DoS, stress, or load testing.
  • Use non-production / test accounts whenever possible.
  • Limit testing to the minimum actions required to prove the issue.
  • Comply with all applicable laws.

If you work in good faith and follow this policy, Amazing.com Inc. will extend safe-harbor protection: we will not pursue legal action or refer you to law enforcement for research performed within these guidelines.

3. How to Report

  1. Email: security@amazing.com
  2. Include:
    • Descriptive title
    • Affected domain / endpoint / app version
    • Step-by-step reproduction or PoC
    • Impact assessment (what could an attacker gain?)
    • Preferred credit name (optional)

Please avoid attaching live malware, running automated scanners that generate excessive traffic, or publicly disclosing the issue before we confirm remediation.

4. Our Process

Stage

Target SLA*

Acknowledgement

≤ 3 business days

Triage / analysis

≤ 5 business days

Remediation plan

≤ 30 days for critical, ≤ 90 days maximum

Co-ordinated disclosure

We will work with you post-fix

 

* Timelines follow CISA VDP and DOJ best-practice guidance.

We keep you informed throughout—and, If you would like a written acknowledgement for a valid report, let us know and we’ll be happy to provide one privately.

5. No-Bounty Statement

Amazing.com Inc. does not operate a paid bug-bounty program. By submitting a report you acknowledge:

  • You expect no financial reward.
  • Materials you provide may be used by Amazing.com Inc. solely for remediation.

6. Safe Harbor

Provided you:

  1. Follow this policy in good faith;
  2. Do not compromise privacy or availability; and
  3. Coordinate disclosure with us,

Amazing.com Inc. will not take legal action under the CFAA, DMCA, or similar laws. Should a third-party initiate legal action, we will inform them that your activities were authorized under this VDP.

7. security.txt

A machine-readable reference to this policy lives at: amazing.com/security.txt