RoleSec Security Reporting & Vulnerability Disclosure Policy

Effective Date: December 13, 2025
Last Updated: December 13, 2025
Next Review Date: December 13, 2026

RoleSec, LLC (“RoleSec,” “we,” “us,” “our”) takes security seriously. This Policy explains how to report security issues, phishing, brand misuse, or suspected vulnerabilities related to RoleSec-controlled properties.

Important: This Policy does not grant permission to test, probe, scan, or access RoleSec systems. Unauthorized activity is prohibited.

1) Reporting Channel

Report security concerns to:

Email: [email protected]
Subject line: “Security Report”

Include as much detail as possible (see Section 6).

2) Scope

This Policy applies only to RoleSec-controlled properties, including:

  • rolesec.com

  • RoleSec-owned domains and subdomains

Out of Scope (Non-Exhaustive)

The following are out of scope unless we explicitly authorize otherwise in writing:

  • third-party platforms and services used to deliver our Services (including hosted learning platform infrastructure and payment processors),

  • third-party identity providers (social login),

  • third-party hosting/CDN/infrastructure not under RoleSec’s direct control.

3) No Authorization — Prohibited Security Testing (Strict)

You may not do any of the following without explicit written permission from RoleSec:

  • vulnerability scanning, probing, port scanning, or automated testing,

  • attempts to bypass authentication/authorization,

  • credential stuffing, brute force, password guessing, or account takeover attempts,

  • denial-of-service (DoS/DDoS) testing or traffic flooding,

  • social engineering (including phishing, vishing, smishing, pretexting),

  • physical security testing,

  • malware delivery, payload execution, or exploitation attempts,

  • accessing, copying, deleting, altering, or exfiltrating any data (including test data) that is not your own.

If you engage in prohibited activities, we may pursue all legal remedies and may report the matter to law enforcement.

4) Narrow Good-Faith Expectation (Not a Safe Harbor License)

If you believe you discovered a potential issue without engaging in prohibited activity, we ask that you:

  • avoid privacy violations and data access,

  • avoid disruption and performance impact,

  • report promptly and confidentially to us,

  • give us a reasonable opportunity to investigate.

This section is not a “safe harbor” promise and does not create any immunity. We reserve all rights.

5) No Bug Bounty

RoleSec does not offer a bug bounty or monetary rewards.

6) What to Include in Your Report

To help us evaluate, please include:

  • affected URL(s) or asset(s),

  • a clear description of the issue,

  • steps to reproduce (if you can describe without testing),

  • the potential impact (what could happen),

  • relevant timestamps,

  • screenshots/logs only if they do not contain sensitive personal data.

Do not send:

  • other users’ personal data,

  • full payment card data,

  • passwords, access tokens, or secrets,

  • any exploit code or payloads.

If sensitive information is necessary to explain the issue, redact it and describe what was redacted.

7) Our Response

We may:

  • acknowledge receipt,

  • request additional information,

  • take remediation actions at our discretion.

We do not guarantee response times, remediation timelines, or specific outcomes. We may choose not to respond to certain submissions (for example, incomplete reports or reports involving prohibited activities).

8) Confidentiality

Please keep security reports confidential until we explicitly confirm otherwise in writing. Public disclosure may increase risk to our users and services.

9) Relationship to Other Policies

This Policy is part of our broader risk and policy framework and should be read together with our Terms of Use (/terms). If there is a conflict, our Terms of Use control.

10) Contact

Email: [email protected]
Subject line: “Security Report”