H Hexalian

Security & Responsible Disclosure

Hexalian welcomes good-faith reports from security researchers. We do not pursue legal action against researchers who follow this policy.

Contact

Email [email protected] (preferred) or [email protected]. Machine-readable policy: /.well-known/security.txt.

What to include

  • Affected URL or component and steps to reproduce
  • Impact assessment (confidentiality, integrity, availability)
  • Proof of concept where safe — avoid destructive testing
  • Your preferred timeline and contact for follow-up

Scope

In scope: hexalian.com web application, APIs hosted on this domain, and customer-facing checkout/download flows operated by Hexalian.

Out of scope: third-party services (Stripe, hosting panels), social engineering, physical attacks, denial-of-service, and testing against other customers' Odoo instances or data.

Our commitment

  • Acknowledge valid reports within 5 business days
  • Work toward remediation for confirmed issues on a severity-appropriate timeline
  • Default coordinated disclosure window: 90 days from report acceptance, unless we agree otherwise in writing
  • Credit in release notes or advisories when you request it and the finding is verified

Safe harbor

Do not access, modify, or exfiltrate data that is not your own. Do not disrupt production services. Stop testing once you have enough evidence to demonstrate the issue. We will not initiate legal action against researchers who comply with this policy.

Bug bounties

We do not operate a public paid bug bounty program. Bounties or consulting fees are only considered by separate written agreement. Unsolicited invoices or demands for payment before disclosure are not accepted.