Security at SkiveCore

Policy Updated: May 1, 2025

The security of our platform and the privacy of our users are paramount at SkiveCore. We value the crucial role that independent security researchers play in helping us maintain a high standard of security. We welcome collaboration with the security community.

Our Commitment

We are committed to:

  • Protecting our users' data and privacy.
  • Responding to reported vulnerabilities in a timely manner.
  • Working collaboratively with researchers who report vulnerabilities to us.
  • Recognizing the efforts of researchers who help keep SkiveCore secure (see Acknowledgements below).

Responsible Disclosure Policy

If you believe you've discovered a security vulnerability in a SkiveCore service, we encourage you to report it to us responsibly. Please follow these guidelines:

Scope

This policy applies to security vulnerabilities found within the following SkiveCore assets:

  • The primary website: `skivecore.com` (and its subdomains)
  • Official SkiveCore mobile applications (iOS and Android)
  • APIs directly supporting the website and mobile applications

Out of Scope:

  • Third-party services or vendors used by SkiveCore (please report issues directly to the vendor).
  • Findings from physical testing (e.g., office access).
  • Social engineering (e.g., phishing, vishing) of SkiveCore staff or users.
  • Denial of Service (DoS or DDoS) attacks or activities that could degrade service for users.
  • Scanner output or purely theoretical vulnerabilities without proof-of-concept.
  • Issues related to missing security headers/configurations (e.g., missing HSTS, weak TLS ciphers) unless they demonstrate a direct, exploitable impact.
  • Self-XSS or issues exploitable only through unlikely user interaction.

How to Report

Please email your findings directly to our security team:

security@skivecore.com

In your report, please include as much detail as possible:

  • A clear description of the vulnerability and its potential impact.
  • Detailed steps to reproduce the issue, including any specific URLs, parameters, or account types needed.
  • Proof-of-concept code, screenshots, or videos are highly encouraged.
  • Any suggestions for remediation, if you have them.

Please allow our team reasonable time to investigate and respond before publicly disclosing any findings.

Rules of Engagement

When researching, please:

  • Do No Harm: Avoid actions that could impact the availability or integrity of our services or user data (e.g., no DoS, data deletion/modification).
  • Respect Privacy: Do not access, download, or modify data belonging to other users. Limit testing to accounts you own.
  • Act in Good Faith: Do not engage in extortion or demand payment in exchange for vulnerability details outside of any stated bug bounty program (see below).
  • Comply with all applicable laws and regulations.

Safe Harbor

SkiveCore considers security research conducted under this policy to be authorized and lawful. We will not pursue civil or criminal legal action, nor initiate a law enforcement investigation, against researchers for vulnerability testing activities that adhere to this policy. If legal action is initiated by a third party against you concerning activities conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Our Process & Response Times

Once we receive your report:

  1. We aim to acknowledge receipt of your report within 2-3 business days.
  2. Our security team will investigate and validate the finding. We may contact you for more information.
  3. We will prioritize remediation based on the severity and impact of the vulnerability.
  4. We will endeavor to keep you informed of our progress as we work to fix the issue.

Please understand that remediation times can vary depending on complexity and potential impact.

Rewards & Acknowledgements

Currently, SkiveCore does not operate a formal bug bounty program with monetary rewards.

However, we deeply appreciate the efforts of security researchers. We are happy to provide public acknowledgement (with your permission) to individuals who responsibly disclose significant vulnerabilities that help us improve our security posture. This recognition might appear on this page or a dedicated "Hall of Fame".

Secure Communication (PGP Key)

For sensitive communications, you can encrypt your email report using our PGP key for `security@skivecore.com`:


-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaBe9bhYJKwYBBAHaRw8BAQdADIgE9By/ZfpMdC2WL6FIvKDNFEZotQs+gOK2
vB7vEaO0MFNraXZlQ29yZSBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBza2l2ZWNv
cmUuY29tPoiZBBMWCgBBFiEEzfLRebOvIcmBvi4kQrvoNXfwpzoFAmgXvW4CGwMF
CQWky6IFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQQrvoNXfwpzpGOAD/
YsVahINuYCuM8iHLfGJA3cMlC8bNxi7+pEkq5YPNPUQA/2AX4SQUXnFynhVaAQTI
l59aUC4vKksASXWk8BR8QJ4MuDgEaBe9bhIKKwYBBAGXVQEFAQEHQDURoRc+2Dbj
kDzPwLNVdFoxZ/tucK7SNTPBFcBtv1QBAwEIB4h+BBgWCgAmFiEEzfLRebOvIcmB
vi4kQrvoNXfwpzoFAmgXvW4CGwwFCQWky6IACgkQQrvoNXfwpzpPuQD8DO9o8ukm
M7kvaWemjPTQmVrKXXemhli+UuwPnWsZAPcBAKZK2+Ha0ec4VzdQyBGqXMijCFc1
Zcm0z0vdwxH1ceIO
=3lgA
-----END PGP PUBLIC KEY BLOCK-----

Key Fingerprint: `CDF2 D179 B3AF 21C9 81BE 2E24 42BB E835 77F0 A73A`

Contact & Resources

For security vulnerability reports, please use: security@skivecore.com.

You can also find our canonical security policy information in our security.txt file.

For general support questions, please visit our main Support Center or contact support@skivecore.com.