Security & Vulnerability Disclosure

CPro360, Inc. ("CPro360", "we", "our", or "us") takes the security of our platform seriously. This page explains how to report a security vulnerability, what we commit to in return, and the rules of engagement.

If you've found a vulnerability in any cpro360.com surface — the marketing site at www.cpro360.com, the application at app.cpro360.com, the API at api.cpro360.com, the CPro360 mobile apps, or any related infrastructure — we want to hear from you.

1. How to Report

Please send your report to security@cpro360.com. Include as much of the following as you can:

• What you found: the affected URL, endpoint, or app screen
• How to reproduce it: step-by-step, ideally with HTTP requests or screenshots
• Impact: what an attacker could do with it
• Any sensitive data observed: please redact other customers' data before sending; we will treat redacted samples as sufficient evidence
• Your contact information if you'd like an acknowledgement in our release notes (optional)

If you're not comfortable using email, the same channel is published in our machine-readable security.txt (RFC 9116).

2. Our Commitment to You

When you report a vulnerability in good faith, we commit to:

• Acknowledge receipt of your report within 3 business days.
• Triage and assign a severity within 5 business days.
• Keep you updated on remediation progress as we work toward a fix.
• Notify you when the fix ships to production, so you can verify it.
• Not pursue legal action against good-faith researchers operating within the scope of this policy (see Section 5).
• Credit you in our public release notes if you'd like the recognition — your call.

3. Scope

The following surfaces are in scope for vulnerability reports:

• The marketing website at www.cpro360.com and cpro360.com
• The application at app.cpro360.com
• The API at api.cpro360.com
• The CPro360 mobile apps (iOS and Android)
• Authentication, authorization, and tenant-isolation flows
• Payment, billing, and Stripe integration surfaces
• File upload, document storage, and SAS-signed download URLs

4. Out of Scope

The following are explicitly out of scope and reports about them will be closed without action:

• Denial-of-service attacks, traffic flooding, or any test that degrades service for our customers
• Social engineering of CPro360 employees, contractors, or customers
• Physical access to our offices or infrastructure
• Vulnerabilities in third-party services we depend on (Stripe, Azure, Mailgun, Twilio, QuickBooks Online) — please report those to the vendor directly
• Missing security headers without a demonstrated exploit (we run a strict CSP; please show how a missing header is actually exploitable)
• Outdated software versions without a working proof of concept
• Reports generated solely by automated scanners without analysis or impact assessment
• Login or signup rate-limiting findings — these are tracked separately and we've already invested in defenses
• Self-XSS, clickjacking on pages without sensitive actions, or missing best-practice configurations on the marketing site

5. Safe Harbor

We will not pursue legal action against you for security research conducted in good faith and consistent with this policy. Specifically:

• Test only on accounts you own. Do not access, modify, or download data belonging to other customers.
• Avoid privacy violations. If you accidentally encounter other customers' data, stop immediately and report what you saw.
• Don't degrade service. No load testing, brute-force, or anything that affects other users' experience.
• Give us a reasonable disclosure window. Please allow us to ship a fix before publishing details. We aim for 90 days from acknowledgement; if you believe the issue warrants a different timeline, tell us in your report.
• Comply with applicable law. Safe harbor doesn't extend to actions that would otherwise be illegal under U.S. or your local jurisdiction's law.

Research conducted within these guidelines is considered authorized, and we will work with you rather than against you.

6. What We Run, So You Don't Have to Guess

To save you reconnaissance time on common questions:

• Auth: JWT bearer tokens with BCrypt password hashing, optional TOTP (mandatory for tenant administrators and platform staff)
• Transport: HSTS preload with one-year max-age and includeSubDomains
• Headers: Strict CSP on API + hub paths, SPA-friendly CSP on the application, plus X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy
• Secrets: Azure Key Vault with soft-delete and purge protection
• Encryption at rest: Field-level AES-256-GCM for sensitive integration tokens (Stripe customer IDs, QuickBooks refresh tokens)
• Tenancy isolation: EF Core query filters keyed off the JWT — every tenant-scoped query is constrained at the data layer
• Rate limiting: Per-IP and per-user policies on auth, OTP, register, and upload endpoints
• Dependency scanning: Weekly automated scans of NuGet + npm packages

7. Machine-Readable Contact

Automated tools and scanners can fetch our RFC 9116 disclosure record at /.well-known/security.txt.