Security & Responsible Disclosure

Our Commitment to Security

At Arreteq, the security of our platform and our customers' data is a top priority. We recognize that even well-designed systems can have vulnerabilities, and we value the role that independent security researchers play in helping us identify and address them.

This page outlines how to report a potential security vulnerability to us, what we ask of researchers, what you can expect from us, and the circumstances under which we will consider a reward for your contribution.

Scope

This policy covers vulnerabilities identified in the following Arreteq-owned and operated systems:

• arreteq.com and all subdomains (e.g. app.arreteq.com, api.arreteq.com)
• The Arreteq web application and any publicly accessible APIs
• Arreteq mobile applications (where applicable)

Out of scope:

• Third-party services and infrastructure we do not directly control (e.g. cloud providers, payment processors)
• Social engineering attacks targeting Arreteq employees or contractors
• Physical security attacks
• Denial-of-service (DoS/DDoS) attacks or any testing that degrades service availability for other users
• Spam or email flooding
• Vulnerabilities in third-party software that are already publicly known and reported upstream
• Issues that require unlikely user interaction or have no practical security impact

Responsible Disclosure Guidelines

We ask that all researchers follow responsible disclosure practices. By submitting a report you agree to:

• Report privately first. Contact us at security@arreteq.com before disclosing any vulnerability publicly. Give us a reasonable opportunity to investigate and remediate.
• Do not exploit. Limit your activities strictly to demonstrating the existence of the vulnerability. Do not access, exfiltrate, modify, or delete any data beyond the minimum necessary to prove the issue.
• Do not disrupt. Do not perform any testing that could degrade, impair, or disrupt the Arreteq platform or its users. Do not conduct volumetric testing, automated scanning at high rates, or any action that could constitute a denial-of-service attack.
• Do not target others. Do not test for vulnerabilities in accounts belonging to other users without their explicit written consent.
• Maintain confidentiality. Do not disclose vulnerability details to any third party without our prior written consent, and do not publicly disclose the issue until we have confirmed a fix is in place.
• Act in good faith. Your research must be conducted in a manner consistent with applicable law. We will not pursue legal action against researchers who comply with this policy in good faith.

We reserve the right to take legal action against any party that engages in testing or disclosure that falls outside these guidelines, causes harm to our service or users, or that is conducted in bad faith.

How to Report a Vulnerability

Send your report to security@arreteq.com. We recommend encrypting sensitive reports using our PGP key (available on request).

Please include as much of the following as possible:

• A clear description of the vulnerability and its potential impact
• The affected URL, endpoint, or component
• Step-by-step reproduction instructions
• Any supporting materials — screenshots, HTTP request/response logs, proof-of-concept code
• Your assessment of severity (using CVSS or similar where possible)

The more detail you provide, the faster we can triage and act on your report.

What to Expect From Us

• Acknowledgement within 3 business days of receiving your report.
• Initial triage and severity assessment within 10 business days.
• Regular updates on the progress of investigation and remediation.
• Notification when the vulnerability has been resolved, before any coordinated public disclosure.

We aim to remediate critical and high-severity issues as quickly as possible. Resolution timelines will vary depending on complexity, but we commit to keeping you informed throughout the process.

Bug Bounty Rewards

Any reward is entirely at Arreteq's discretion — we do not publish fixed amounts or tiers. Rewards for duplicate or closely related reports are awarded to the first reporter only. Arreteq's assessment of severity and eligibility is final.

Ineligible Reports

The following are not eligible for a reward regardless of severity:

• Reports that failed to follow the responsible disclosure guidelines above
• Reports submitted after a vulnerability has already been identified internally or by another researcher
• Theoretical vulnerabilities with no demonstrated impact
• Reports accompanied by any form of threat, demand, or ultimatum
• Reports from individuals who caused disruption to the service or customer data during their research
• Automated scan output submitted without manual verification or analysis

Recognition

With your permission, we are happy to acknowledge qualifying reporters in our security hall of fame. Please indicate in your report whether you would like to be named, credited pseudonymously, or remain anonymous.

Legal Safe Harbour

Arreteq will not pursue civil or criminal action against security researchers who:

• Discover and report vulnerabilities in good faith in accordance with this policy
• Do not cause harm, disruption, or data loss to Arreteq or its users
• Do not publicly disclose the vulnerability before we have confirmed a fix

This safe harbour applies solely to activities that comply strictly with this policy. It does not apply to any actions that fall outside the guidelines above, including but not limited to unauthorised data access, service disruption, or extortion.

Contact

Security reports: security@arreteq.com
General legal enquiries: legal@arreteq.com

We appreciate the work of the security research community and thank you for helping keep Arreteq and our customers safe.