Vulnerability Disclosure Program

Security at Inst

We take security seriously. If you've found a vulnerability in our platform, we want to hear from you. Responsible disclosure helps us protect our users.

Scope

  • call.inst.lk web application
  • WebRTC signaling server
  • Room code generation & access control
  • WebRTC peer connection security
  • Cross-site scripting (XSS)
  • Information disclosure vulnerabilities

Out of Scope

  • Denial of Service (DoS/DDoS) attacks
  • Social engineering / phishing
  • Physical security attacks
  • Third-party services & libraries
  • Issues already reported by others
  • Automated scanner output without POC

Rules of Engagement

  • Do not access other users' data
  • Do not disrupt service availability
  • Do not publicly disclose before fix
  • Provide detailed reproduction steps
  • Give us reasonable time to respond
  • One report per vulnerability

Rewards & Recognition

  • Hall of Fame listing for valid reports
  • Public acknowledgment (if desired)
  • Severity-based priority response
  • Direct communication with security team
  • We do not offer monetary rewards currently
  • Good faith effort is always appreciated

Response Timeline

24 hours
Initial acknowledgment
3 business days
Triage & severity assessment
14 days
Resolution target for critical issues

Submit a Vulnerability Report

All reports are reviewed by our security team