Sparx Systems Prolaborate – Vulnerability Disclosure Policy

We recommend reading this disclosure policy in full before reporting any vulnerabilities. This ensures that you understand the policy and act in compliance with it.

At Sparx Systems, we value the contributions of the security research community and welcome reports that help improve the security of our Prolaborate platform and services.

Scope

This policy applies only to vulnerabilities found in Sparx Systems Prolaborate products and services, under the following conditions:

In-scope vulnerabilities must be previously unreported, original, and not discovered through our internal testing or audits.
Volumetric attacks (e.g., overwhelming a system with traffic or brute force testing) are not in scope.
Reports of non-exploitable issues or deviations from security best practices (e.g., missing headers) are not in scope.
Weak TLS settings or legacy encryption protocol support (e.g., TLS 1.0) are not in scope.
This policy applies to all researchers, including Sparx Systems employees, third parties, and general users of Prolaborate.

Bug Bounty

While Sparx Systems does not offer a paid bug bounty program, we deeply appreciate responsible disclosures and will acknowledge valid, impactful submissions appropriately with thank-you notes, or other non-monetary recognition.

Reporting a Vulnerability

If you believe you’ve discovered a vulnerability in Prolaborate that falls within the above scope, please report it to our security team via: security@prolaborate.com

Your report should include:

The exact system, URL, or component where the vulnerability exists.
A concise explanation of the vulnerability type (e.g., XSS, SQLi, authentication bypass).
A benign, reproducible proof-of-concept (PoC) that demonstrates the issue without causing harm.

What to Expect

Once your report is submitted:

You will receive an acknowledgment within 72 business hours.
Our team will triage your report to determine validity and scope.
If valid, the vulnerability will be assigned to our development team with a priority based on impact and exploitability.
Once resolved, we will notify you and may invite you to confirm the fix.

Guidance for Researchers

To ensure a safe and constructive process, you must not:

Access more data than necessary (2–3 records is enough to prove most vulnerabilities).
Use intrusive, high-impact, or destructive testing tools or techniques.
Violate the privacy of users or staff by accessing, sharing, or storing sensitive data.
Modify or delete any data in our systems.
Disrupt services, perform denial-of-service attacks, or attempt social engineering/phishing.
Disclose vulnerability details publicly or to third parties.
Demand financial compensation outside of any publicly stated reward structures.

Please securely delete any data retrieved during testing within 30 days of the vulnerability being resolved, or sooner if no longer required.

Legalities

This policy is designed to align with responsible disclosure practices under Australian law. It does not provide indemnity from legal consequences if you breach laws or act in bad faith.

You must comply with relevant laws, including but not limited to:

Criminal Code Act 1995 (Cth) – including offences related to unauthorised access, modification, or impairment of data.
Privacy Act 1988 (Cth) – relating to the collection, handling, and disclosure of personal information.
Copyright Act 1968 (Cth) – in relation to software and intellectual property.

Sparx Systems affirms that it will not pursue legal action against security researchers who: