Vulnerability Disclosure Program
Security at Inst
We take security seriously. If you've found a vulnerability in our platform, we want to hear from you. Responsible disclosure helps us protect our users.
Scope
- •call.inst.lk web application
- •WebRTC signaling server
- •Room code generation & access control
- •WebRTC peer connection security
- •Cross-site scripting (XSS)
- •Information disclosure vulnerabilities
Out of Scope
- •Denial of Service (DoS/DDoS) attacks
- •Social engineering / phishing
- •Physical security attacks
- •Third-party services & libraries
- •Issues already reported by others
- •Automated scanner output without POC
Rules of Engagement
- •Do not access other users' data
- •Do not disrupt service availability
- •Do not publicly disclose before fix
- •Provide detailed reproduction steps
- •Give us reasonable time to respond
- •One report per vulnerability
Rewards & Recognition
- •Hall of Fame listing for valid reports
- •Public acknowledgment (if desired)
- •Severity-based priority response
- •Direct communication with security team
- •We do not offer monetary rewards currently
- •Good faith effort is always appreciated
Response Timeline
24 hours
Initial acknowledgment
3 business days
Triage & severity assessment
14 days
Resolution target for critical issues
Submit a Vulnerability Report
All reports are reviewed by our security team