All Terms & Agreements
Vulnerability Disclosure Policy
Soldera operates a platform that connects to Energy Attribute Certificate registries, so the security of our systems and our customers' data matters a great deal to us. We value the security research community and welcome good-faith reports of vulnerabilities in the systems we operate.
This is a disclosure-only programme. We do not offer monetary rewards, but we commit to responding promptly, treating researchers with respect, and - where you wish - giving a discreet acknowledgement of your contribution.
-
HOW TO REPORT
-
Email
security@soldera.org
with:
- A subject line including "Vulnerability Disclosure"
- A description of the vulnerability and where it exists
- Steps to reproduce or a short proof of concept (a working PoC is more useful than a long video)
- Your assessment of the impact
- Please be succinct. If your report involves sensitive data, encrypt it with our public PGP key at https://www.soldera.org/.well-known/pgp-key.txt , or ask us for an encrypted channel.
-
Email
security@soldera.org
with:
-
WHAT QUALIFIES
- Design or implementation issues that meaningfully affect the confidentiality or integrity of customer or registry data - for example XSS, CSRF, authentication/authorisation flaws (including access to another customer's data), injection or server-side code execution (SQLi, command injection, XXE), and logic flaws that bypass significant security controls.
- We generally won't action: missing security headers/SPF/DKIM/DMARC or cookie flags without a demonstrated exploit, banner/version disclosure, clickjacking on non-sensitive pages, user enumeration without a rate-limiting impact, raw automated-scanner output with no analysis, or issues in third-party platforms we don't control (report those to the vendor).
-
WHAT WE ASK OF YOU
-
For the security of Soldera and our customers, please follow responsible-disclosure
practice:
- Only test against your own accounts. Never access, modify, or delete data belonging to anyone else. If you inadvertently encounter another user's data, stop, tell us, and don't keep copies.
- Don't degrade or disrupt our services - no denial-of-service testing, high-volume automated scans, spam, social engineering, or physical attacks.
- Don't test systems we don't own. Our platform connects to national and international EAC registries and to vendors (hosting, analytics, marketing); we can't authorise testing of those - direct any such issues to the relevant operator.
- Give us a reasonable opportunity to fix an issue before disclosing it publicly, and don't share it with third parties or brokers except to get it fixed.
- If you comply with this policy during your research and act in good faith, we will consider your access authorised, and we will not pursue legal action against you in connection with it.
-
For the security of Soldera and our customers, please follow responsible-disclosure
practice:
-
WHAT YOU CAN EXPECT FROM US
-
Resourcing permitting, we aim to:
- Acknowledge your report within 7 working days.
- Give an initial assessment within 14 working days.
- Fix valid issues in a sensible timeframe, with updates if remediation will take longer.
- Credit you if you'd like it (a discreet acknowledgement page and, optionally, a hall-of-fame entry ) - or keep you anonymous if you prefer.
- This programme is discretionary and we may change or end it at any time.
-
Resourcing permitting, we aim to:
Last updated: 15 July 2026. Questions about this policy: security@soldera.org