Responsible Disclosure
Responsible Disclosure Policy
1. Our commitment
The security of our platform and our customers' data is a top priority at Ravical. We invest in secure development, automated scanning, and a culture where the team raises concerns early. We also know that no organisation finds every vulnerability on its own. If you believe you have found a security issue in one of our systems, we want to hear about it.
This policy describes how to report a vulnerability to Ravical, what you can expect from us in return, and the rules we ask researchers to follow.
2. Scope
In scope
ravical.comand its subdomains, includingapp.ravical.comThe Ravical agent platform (web application and APIs you can reach as an authenticated user of your own account)
Mobile or desktop clients we publish under the Ravical name
Out of scope
Third-party services we use but do not operate (for example, our hosting, identity, or analytics providers). Please report those issues directly to the vendor.
Findings that require physical access to Ravical offices, devices, or staff
Social engineering of Ravical employees, customers, suppliers, or partners (including phishing, vishing, smishing, and pretexting)
Denial of service, volumetric, brute force, or load testing
Spam, mail spoofing, or findings limited to missing or weak SPF, DKIM, or DMARC records without a working exploit
Self-XSS that requires a user to paste content into their own browser
Missing or weak security headers without a demonstrated impact
Clickjacking on pages with no sensitive state-changing action
Disclosure of public information, software version banners, or directory listings without a working exploit
Outdated libraries or software reports without a working proof of concept showing exploitability in our context
Theoretical issues with no demonstrable security impact
If you are unsure whether something is in scope, ask us at security@ravical.com before testing.
3. How to report
Send your report to security@ravical.com.
Please include:
A clear description of the issue and the affected system, URL, or component
Step by step instructions to reproduce the issue
A proof of concept (screenshots, request and response, short script, or video) where relevant
Your assessment of the impact
Your name or handle and how you would like to be contacted
Whether you would like public credit if we publish a fix announcement
Report in English or Dutch. One issue per report keeps things easier to triage. If you find several issues, please send them separately.
4. Rules of engagement
When testing, please:
Use only your own account, your own data, or test data you own
Stop and report as soon as you confirm a vulnerability. Do not go further than needed to demonstrate the issue.
Avoid actions that could harm the availability, confidentiality, or integrity of the service or of other users' data
Do not access, modify, copy, download, retain, transfer, or destroy data that is not yours
Do not run automated scanners that generate excessive traffic against our production environment
Do not perform social engineering, physical intrusion, or denial of service
Do not publish, share, or sell information about the vulnerability, in part or in whole, before we have fixed it and confirmed that you may disclose
Comply with all applicable laws
If testing accidentally causes a service disruption, data exposure, or anything else unintended, stop immediately and let us know at security@ravical.com.
5. What you can expect from us
We will acknowledge your report within 5 business days.
We will assess the report and let you know our initial view, including whether we consider it in scope, within 10 business days.
We will keep you updated on progress at reasonable intervals while we triage and fix the issue.
We will let you know once the issue is resolved.
If you wish, we will credit you publicly when we communicate about the fix. You can also stay anonymous.
We will treat your report and your identity confidentially and will not share it with third parties without your consent, unless we are legally required to.
6. Safe harbour
If you act in good faith and in line with this policy, Ravical will not pursue or support legal action against you for your research. We see researchers who report vulnerabilities responsibly as helping us protect our customers.
Researchers based in Belgium can also rely on the legal framework of the Centre for Cybersecurity Belgium (CCB) for coordinated vulnerability disclosure, provided the conditions of that framework are met. Acting in line with this policy is intended to be compatible with that framework.
This safe harbour does not cover activities that fall outside of this policy, that breach the rules of engagement above, or that violate applicable law.
7. No bug bounty
Ravical does not currently run a paid bug bounty programme. We may offer a token of appreciation or public credit, but we cannot guarantee a financial reward. We may revisit this in the future.
8. Changes to this policy
We may update this policy from time to time. The current version is always available on our website and via Ravical's trust centre. The date at the top of this document indicates when it was last updated.
9. Contact
Email: security@ravical.com
Trust centre: trust.ravical.com
1. Our commitment
The security of our platform and our customers' data is a top priority at Ravical. We invest in secure development, automated scanning, and a culture where the team raises concerns early. We also know that no organisation finds every vulnerability on its own. If you believe you have found a security issue in one of our systems, we want to hear about it.
This policy describes how to report a vulnerability to Ravical, what you can expect from us in return, and the rules we ask researchers to follow.
2. Scope
In scope
ravical.comand its subdomains, includingapp.ravical.comThe Ravical agent platform (web application and APIs you can reach as an authenticated user of your own account)
Mobile or desktop clients we publish under the Ravical name
Out of scope
Third-party services we use but do not operate (for example, our hosting, identity, or analytics providers). Please report those issues directly to the vendor.
Findings that require physical access to Ravical offices, devices, or staff
Social engineering of Ravical employees, customers, suppliers, or partners (including phishing, vishing, smishing, and pretexting)
Denial of service, volumetric, brute force, or load testing
Spam, mail spoofing, or findings limited to missing or weak SPF, DKIM, or DMARC records without a working exploit
Self-XSS that requires a user to paste content into their own browser
Missing or weak security headers without a demonstrated impact
Clickjacking on pages with no sensitive state-changing action
Disclosure of public information, software version banners, or directory listings without a working exploit
Outdated libraries or software reports without a working proof of concept showing exploitability in our context
Theoretical issues with no demonstrable security impact
If you are unsure whether something is in scope, ask us at security@ravical.com before testing.
3. How to report
Send your report to security@ravical.com.
Please include:
A clear description of the issue and the affected system, URL, or component
Step by step instructions to reproduce the issue
A proof of concept (screenshots, request and response, short script, or video) where relevant
Your assessment of the impact
Your name or handle and how you would like to be contacted
Whether you would like public credit if we publish a fix announcement
Report in English or Dutch. One issue per report keeps things easier to triage. If you find several issues, please send them separately.
4. Rules of engagement
When testing, please:
Use only your own account, your own data, or test data you own
Stop and report as soon as you confirm a vulnerability. Do not go further than needed to demonstrate the issue.
Avoid actions that could harm the availability, confidentiality, or integrity of the service or of other users' data
Do not access, modify, copy, download, retain, transfer, or destroy data that is not yours
Do not run automated scanners that generate excessive traffic against our production environment
Do not perform social engineering, physical intrusion, or denial of service
Do not publish, share, or sell information about the vulnerability, in part or in whole, before we have fixed it and confirmed that you may disclose
Comply with all applicable laws
If testing accidentally causes a service disruption, data exposure, or anything else unintended, stop immediately and let us know at security@ravical.com.
5. What you can expect from us
We will acknowledge your report within 5 business days.
We will assess the report and let you know our initial view, including whether we consider it in scope, within 10 business days.
We will keep you updated on progress at reasonable intervals while we triage and fix the issue.
We will let you know once the issue is resolved.
If you wish, we will credit you publicly when we communicate about the fix. You can also stay anonymous.
We will treat your report and your identity confidentially and will not share it with third parties without your consent, unless we are legally required to.
6. Safe harbour
If you act in good faith and in line with this policy, Ravical will not pursue or support legal action against you for your research. We see researchers who report vulnerabilities responsibly as helping us protect our customers.
Researchers based in Belgium can also rely on the legal framework of the Centre for Cybersecurity Belgium (CCB) for coordinated vulnerability disclosure, provided the conditions of that framework are met. Acting in line with this policy is intended to be compatible with that framework.
This safe harbour does not cover activities that fall outside of this policy, that breach the rules of engagement above, or that violate applicable law.
7. No bug bounty
Ravical does not currently run a paid bug bounty programme. We may offer a token of appreciation or public credit, but we cannot guarantee a financial reward. We may revisit this in the future.
8. Changes to this policy
We may update this policy from time to time. The current version is always available on our website and via Ravical's trust centre. The date at the top of this document indicates when it was last updated.
9. Contact
Email: security@ravical.com
Trust centre: trust.ravical.com
Thank you for helping keep Ravical
and our customers safe.
Thank you for helping keep Ravical and our customers safe.
Thank you for helping keep Ravical
and our customers safe.
