SECURITY VULNERABILITY DISCLOSURE POLICY

Last Updated: November 3, 2025

Effective Date: November 3, 2025

INTRODUCTION

Cloudvante Pty Ltd (ABN 28 681 142 683, ACN 681 142 683, "we," "us," "our," or "TravlAgent") is committed to protecting the security and privacy of our users. We appreciate the security research community's efforts to help us identify and address vulnerabilities in the TravlAgent platform.

This Security Vulnerability Disclosure Policy outlines our guidelines for responsible disclosure of security vulnerabilities affecting:

TravlAgent website (https://travlagent.com)
TravlAgent web application (https://app.travlagent.com)
TravlAgent mobile applications (iOS and Android)
TravlAgent APIs and infrastructure

We value the security community and are committed to working with researchers who act in good faith to help us maintain the security of our systems and protect our users.

REPORTING A VULNERABILITY

How to Report

If you believe you have discovered a security vulnerability in TravlAgent, please report it to us as soon as possible.

Contact: support@travlagent.com

Subject Line: "Security Vulnerability Report - [Brief Description]"

What to Include in Your Report

To help us understand and address the issue quickly, please include:

Vulnerability Description: A clear explanation of the vulnerability and its potential impact
Steps to Reproduce: Detailed, step-by-step instructions to reproduce the issue
Proof of Concept: Screenshots, videos, or code snippets demonstrating the vulnerability (where applicable)
Affected Systems: Specific URLs, API endpoints, or app versions affected
Severity Assessment: Your assessment of the vulnerability's severity (Critical, High, Medium, Low)
Suggested Remediation: If you have recommendations for fixing the issue (optional)
Your Contact Information: Name, email, and preferred method of communication
Disclosure Preference: Whether you would like public acknowledgment (optional)

Response Timeline

We are committed to responding to security reports in a timely manner:

Initial Acknowledgment: Within 3 business days of receiving your report
Status Update: Within 7 business days, we will provide an initial assessment and expected timeline
Resolution Timeline: We aim to resolve critical vulnerabilities within 30 days, and other issues within 90 days, depending on complexity
Ongoing Communication: We will keep you informed of our progress throughout the investigation and remediation process

SCOPE

In Scope

The following systems and vulnerability types are within scope for responsible disclosure:

Systems:

*.travlagent.com (all subdomains)
TravlAgent iOS mobile application
TravlAgent Android mobile application
TravlAgent API endpoints

Vulnerability Types (Examples):

Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
SQL Injection
Server-Side Request Forgery (SSRF)
Remote Code Execution (RCE)
Authentication and authorization bypasses
Session management vulnerabilities
Insecure Direct Object References (IDOR)
Data exposure or leakage issues
Security misconfigurations with demonstrable impact
Cryptographic vulnerabilities
Business logic flaws leading to security issues

Out of Scope

The following are NOT considered vulnerabilities and should not be reported:

Systems:

Third-party services we use (Google, Microsoft Azure, OpenAI, Cloudflare, Postmark) - please report these directly to the respective vendors
Social media accounts and third-party platforms
Physical security of our offices
Services or systems not owned or controlled by TravlAgent

Vulnerability Types:

Social engineering attacks (phishing, pretexting, etc.)
Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
Spam or social engineering reports
Missing security headers without demonstrated impact (e.g., missing HSTS on non-sensitive pages)
Missing HTTP security headers on static content without sensitive data
SPF/DMARC/DKIM configuration issues (unless actively exploited)
Clickjacking on pages without sensitive actions
Descriptive error messages without sensitive information disclosure
Rate limiting issues on non-authentication endpoints
Reports from automated scanners without validation or proof of exploitability
Theoretical vulnerabilities without proof of concept
Issues requiring unlikely user interaction or social engineering
Vulnerabilities in outdated browsers or platforms we do not support
Password complexity policies
Information disclosure that poses no security risk (e.g., software version numbers)
Issues already known or being addressed

SAFE HARBOR

Legal Protection for Good Faith Security Research

TravlAgent will not pursue legal action against security researchers who:

Act in good faith and comply with this Security Vulnerability Disclosure Policy
Make a reasonable effort to avoid privacy violations, service disruption, and data destruction
Do not exploit vulnerabilities beyond the minimum necessary to demonstrate the issue
Do not access, modify, or delete user data without explicit permission
Provide us with a reasonable amount of time to address the vulnerability before public disclosure
Do not publicly disclose the vulnerability until we have had adequate time to remediate it (see Responsible Disclosure Timeline below)

We consider good faith security research conducted under this policy to be:

Authorized access under applicable Australian and international computer fraud and abuse laws
Exempt from restrictions in our Terms of Service that would otherwise prohibit such activities
Lawful and beneficial to the broader security of the internet

Researcher Responsibilities

To qualify for safe harbor protection, you must:

Do not disrupt or degrade our services: Avoid actions that could harm the availability, integrity, or performance of TravlAgent systems
Do not access user data unnecessarily: Only access the minimum data required to demonstrate the vulnerability. Do not view, store, or share user data beyond what is necessary
Do not modify or delete data: Do not alter, destroy, or remove any data from our systems
Respect user privacy: Do not target other users' accounts, data, or personal information
Use test accounts: Create your own test accounts for research purposes. Do not use other users' accounts
Limit your testing: Avoid automated testing that could impact system performance or generate excessive load
Keep vulnerabilities confidential: Do not share vulnerability details with others until we have resolved the issue and agree to disclosure
Comply with responsible disclosure timelines: Allow us reasonable time to address the issue before public disclosure
Act professionally: Communicate respectfully and constructively with our security team

RESPONSIBLE DISCLOSURE TIMELINE

We believe in coordinated disclosure to protect our users while recognizing the value of public security research.

Our Commitment

Acknowledge your report within 3 business days
Provide status updates at least every 14 days during investigation and remediation
Work diligently to resolve confirmed vulnerabilities based on severity:
- Critical: 7-14 days
- High: 30 days
- Medium: 60 days
- Low: 90 days
Notify you when the vulnerability has been remediated
Coordinate disclosure with you if you wish to publish your findings

Your Commitment

We ask that you:

Allow us 90 days from the date of your initial report to investigate and remediate the vulnerability before making any public disclosure
Coordinate with us if you plan to publish details of the vulnerability after remediation
Provide advance notice of at least 7 days before any planned public disclosure
Redact sensitive information (user data, API keys, internal system details) from any public disclosure

Exceptions

If we fail to acknowledge your report within 10 business days or fail to provide meaningful updates within 30 days, you may disclose the vulnerability publicly. However, we appreciate advance notice if you choose to do so.

RECOGNITION AND REWARDS

Public Acknowledgment

With your permission, we are happy to publicly acknowledge security researchers who help us improve TravlAgent's security. We may feature your name on our Security Acknowledgments page (to be created) or in security advisories.

You may choose to:

Be publicly acknowledged by name
Remain anonymous
Decline recognition

Monetary Rewards

Current Status: As an early-stage startup, we do not currently offer a paid bug bounty program or monetary rewards for vulnerability disclosures.

However, we deeply appreciate responsible disclosures and will:

Provide public recognition (with your permission)
Send TravlAgent swag or other tokens of appreciation for significant findings (when available)
Prioritize early access or beta features for contributing researchers

Future Plans: As we grow, we plan to introduce a formal bug bounty program with monetary rewards. We will prioritize inviting researchers who have previously submitted high-quality reports.

WHAT TO EXPECT FROM US

Our Response Process

When you submit a vulnerability report, here's what happens:

Step 1: Initial Triage (1-3 business days)

We acknowledge receipt of your report
We assign a tracking number
We perform initial assessment of severity and scope

Step 2: Investigation (3-7 business days)

We validate the vulnerability and reproduce the issue
We assess the security impact and affected systems
We determine remediation strategy and timeline
We provide you with an update on our findings

Step 3: Remediation (timeline varies by severity)

We develop and test a fix
We deploy the fix to production systems
We verify the vulnerability has been resolved
We notify you when remediation is complete

Step 4: Disclosure (coordinated with you)

We coordinate public disclosure timing with you (if applicable)
We publish security advisories for significant vulnerabilities
We acknowledge your contribution (with your permission)

Communication Standards

You can expect us to:

Treat you with respect and professionalism
Respond to your inquiries in a timely manner
Provide meaningful updates on progress
Be transparent about timelines and challenges
Honor your disclosure preferences
Protect your identity if you prefer to remain anonymous

OUT OF SCOPE ACTIVITIES

The following activities are strictly prohibited and are NOT authorized under this policy:

Denial of Service (DoS/DDoS) attacks or intentional service degradation
Spamming or sending unsolicited communications to users
Social engineering of TravlAgent employees, contractors, or users
Physical attacks or unauthorized physical access to TravlAgent facilities
Testing third-party services integrated with TravlAgent (please report to those vendors directly)
Accessing, modifying, or deleting other users' data without explicit authorization
Executing malware, ransomware, or destructive exploits
Exfiltrating large amounts of data beyond what is necessary to demonstrate the vulnerability
Pivoting to other systems or networks not owned by TravlAgent
Intentionally degrading user experience or system performance
Public disclosure before we have had adequate time to remediate

Engaging in any of these activities will disqualify you from safe harbor protection and may result in legal action and/or referral to law enforcement.

SEVERITY CLASSIFICATION

We classify vulnerabilities using the following severity levels based on potential impact:

Critical

Remote code execution
SQL injection with data exfiltration
Authentication bypass affecting all users
Mass data breach or exposure of sensitive user data
Full account takeover without user interaction

High

Privilege escalation
Server-Side Request Forgery (SSRF) with internal access
Cross-Site Scripting (XSS) on sensitive pages (e.g., login, payment)
Insecure Direct Object Reference (IDOR) exposing sensitive data
CSRF on critical actions (account deletion, payment changes)

Medium

Reflected XSS with limited impact
CSRF on non-critical actions
Information disclosure of non-sensitive data
Session fixation vulnerabilities
Weak password reset mechanisms

Low

Clickjacking with minimal impact
Missing security headers with theoretical risk
Verbose error messages revealing minimal information
Self-XSS requiring significant user interaction
Open redirects to non-malicious sites

Final severity classification is at TravlAgent's discretion and may differ from your initial assessment based on our internal risk analysis.

CONTACT INFORMATION

Security Team Contact:

Email: support@travlagent.com

Subject: "Security Vulnerability Report"

Company Information:

Cloudvante Pty Ltd

ABN: 28 681 142 683

ACN: 681 142 683

Address: 470 St Kilda Road, Melbourne, VIC 3004, Australia

Website: https://travlagent.com

Security Resources:

Security.txt: https://travlagent.com/.well-known/security.txt
Privacy Policy: https://travlagent.com/privacy
Terms of Service: https://travlagent.com/terms

CHANGES TO THIS POLICY

We may update this Security Vulnerability Disclosure Policy from time to time to reflect changes in our practices, technologies, or legal requirements.

When we make material changes:

We will update the "Last Updated" date at the top of this page
We will post the updated policy at https://travlagent.com/security-policy
We will update the corresponding references in our security.txt file

We encourage security researchers to review this policy periodically to stay informed of any updates.

FREQUENTLY ASKED QUESTIONS

Q: Will I get in trouble for testing TravlAgent's security?

A: No, as long as you comply with this policy and act in good faith. We will not pursue legal action against researchers who follow our responsible disclosure guidelines.

Q: Can I use automated scanners to find vulnerabilities?

A: You may use automated tools for initial discovery, but please validate findings manually before reporting. Be mindful of rate limiting and avoid excessive traffic that could impact service availability. Reports from automated scanners without proof of exploitability are out of scope.

Q: What if I accidentally access user data during testing?

A: If you inadvertently access user data, stop immediately, do not view or store the data, and notify us right away. Accidental access during good faith security research will not result in legal action if you report it promptly and do not exploit the data.

Q: How long should I wait before disclosing a vulnerability publicly?

A: We request a minimum of 90 days from your initial report. However, we will work with you to coordinate disclosure timing based on the severity and complexity of the issue.

Q: Can I test on production systems?

A: Yes, but please be cautious and limit the scope and impact of your testing. Use test accounts where possible, avoid accessing other users' data, and do not disrupt service availability.

Q: What if I find a vulnerability in a third-party service TravlAgent uses?

A: Please report it directly to that vendor. Third-party services (Google, Microsoft, OpenAI, Cloudflare, Postmark) are out of scope for this policy. However, if you discover a misconfiguration or integration issue specific to TravlAgent's implementation, please let us know.

Q: Will you provide updates on my report?

A: Yes, we are committed to providing regular updates at least every 14 days during the investigation and remediation process.

Q: Can I discuss my findings with other researchers?

A: Please keep vulnerability details confidential until we have remediated the issue and coordinated disclosure. After disclosure, you are welcome to share your findings publicly (with sensitive details redacted).

Q: What if I disagree with your severity assessment?

A: We welcome discussion and will consider your perspective. However, final severity classification and remediation priority are at TravlAgent's discretion based on our internal risk assessment.

END OF SECURITY VULNERABILITY DISCLOSURE POLICY

Version 1.0

Summary: TravlAgent welcomes responsible security research. Report vulnerabilities to support@travlagent.com. We will not pursue legal action against researchers who act in good faith, respect user privacy, and allow us reasonable time (90 days) to address issues before public disclosure. While we currently do not offer monetary rewards, we deeply appreciate security contributions and provide public recognition when requested.