🚀 We're in beta — apply for free access while we onboard founding customers.Apply now →
Aclamos
Sign inStart free

Responsible-disclosure policy

Last updated: May 2026.

Aclamos welcomes security research conducted in good faith. This policy authorizes the activities below, sets expectations for reporting and response, and outlines the safe harbor we extend to researchers who follow it.

Scope

The following are in scope:

  • aclamos.app, ballotis.app, and any Aclamos-operated subdomain.
  • The Aclamos and Ballotis web app, REST APIs, and webhooks.
  • The Aclamos mobile app (iOS/Android), once published.

Out of scope: third-party services we use (Stripe, Cloudflare, Anthropic, Twilio, SMTP2GO, Google, etc.) — please report those to the relevant provider; sub-domains owned by our customers (e.g. vote.customer.com); Customer-uploaded content; rate-limit / volumetric DDoS.

What's allowed

  • Testing on accounts and resources you control. Use the free tier to set up test accounts.
  • Automated scanning at < 1 request per second per endpoint.
  • Reporting issues you discover through normal use.

What's not allowed

  • Accessing data that doesn't belong to a test account you control.
  • Disrupting Service for other users (DoS, mass account creation, log floods).
  • Phishing or social engineering of Aclamos employees, contractors, or customers.
  • Physical attacks against Aclamos offices, employees, or sub-processors.
  • Disclosure to third parties or the public before we've fixed the issue, except as allowed under Coordinated disclosure below.

How to report

Email security@aclamos.app. PGP optional but encouraged — our key is at /.well-known/aclamos-pgp.txt. Include:

  1. A clear description of the issue and impact.
  2. Reproduction steps, ideally a minimal proof-of-concept.
  3. The affected URL or endpoint.
  4. Your preferred handle for the security hall-of-fame (optional).

What we promise

  • Acknowledgement within 2 business days.
  • A triage decision within 7 days (accept / duplicate / out-of-scope / informational).
  • Fix targets: critical 7 days · high 30 days · medium 60 days · low 90 days.
  • You are publicly credited (with your consent) in our hall of fame.
  • We do not pursue legal action or refer to law enforcement against researchers acting in good faith and in accordance with this policy. This safe harbor does not extend to violation of CFAA prohibitions, breach of contract beyond research, or activities that affect Customer Data of other tenants.

Bug bounty

We do not currently run a paid bounty program. We track contributions and re-evaluate annually.

Out-of-scope vulnerabilities

We typically do not reward reports for: missing security headers without a working proof-of-concept; SPF/DKIM/DMARC findings that are configured-as-intended; clickjacking on pages without state-changing actions; self-XSS; outdated software disclosure without exploitability; CSRF on logout or other low-risk forms; rate-limit weakness without abuse demonstration.

RFC 9116 security.txt

Machine-readable copy at /.well-known/security.txt.

Responsible disclosure · Aclamos