Back to Legal

Security Policy

Last updated: May 2026

Reporting a Vulnerability

If you discover a security vulnerability in any system or property operated by 37SOLUTIONS, please report it to us promptly. We take all reports seriously and will respond as quickly as possible.

Email your report to security@37solutions.com. Please include as much detail as possible: the affected URL or system, a description of the issue, and steps to reproduce it if applicable.

We cannot respond to vague or non-specific reports. Initial emails must include at least a high-level technical description of the issue and its potential impact so we can assess severity.

What to Expect

  • We will acknowledge receipt of your report within 3 business days.
  • We will investigate and keep you informed of our progress.
  • We will notify you when the issue has been resolved.
  • We will not take legal action against researchers who report issues in good faith and follow this policy.
  • All coordination is handled asynchronously via email. We do not hold calls or meetings as part of this process.

No Bug Bounty

We do not operate a bug bounty program and do not offer monetary rewards or paid engagements in response to unsolicited vulnerability reports. Submitting a report under this policy does not create any obligation for compensation or future work.

Scope

This policy applies to all systems and web properties operated by 37SOLUTIONS, including but not limited to:

  • 37solutions.com and its subdomains
  • Client-facing portals and infrastructure managed by 37SOLUTIONS

Out of Scope

The following are outside the scope of this policy:

  • Denial of service attacks or any testing that degrades service availability
  • Social engineering or phishing attacks targeting our staff or clients
  • Physical security testing
  • Automated scanning that generates excessive traffic

Not Acceptable

The following will result in no response:

  • Reports that require a phone call, video meeting, NDA, or purchase of a product or service before sharing technical details. If your process requires a call or a demo to disclose the issue, we will not engage.
  • Reports from anonymous or free email accounts where we cannot reasonably verify the sender’s identity or affiliation.
  • Unsolicited sales pitches or tool demonstrations framed as security reports.

Disclosure

We ask that you give us reasonable time to investigate and address a vulnerability before any public disclosure. We are happy to coordinate disclosure timing with you and will credit researchers who report valid issues if they wish.

security.txt

This policy is referenced in our security.txt file, located at /.well-known/security.txt per RFC 9116 .