Vulnerability Disclosure Policy

Email Cheat Code / WatchMyInbox is operated by Cuff Technology Solutions, LLC.

1. Purpose

Email Cheat Code / WatchMyInbox welcomes reports of security vulnerabilities. This policy explains how to report a vulnerability and what you can expect from us.

2. Scope

This policy applies to:

• Email Cheat Code and WatchMyInbox websites, APIs, and supporting services operated by Cuff Technology Solutions.
• Security vulnerabilities that could impact confidentiality, integrity, or availability of the service or customer data.

This policy does not apply to:

• Third-party services not operated by us (for example: Google, Twilio, Stripe, hosting providers). Please report issues to the appropriate vendor.
• Denial of service testing, spam, social engineering, phishing, or physical security issues.
• Vulnerabilities that require access to a device you do not own or a user account you do not control.

3. How to report a vulnerability

Please email your report to:

Include as much of the following as practical:

• A clear description of the issue and the affected component or URL
• Steps to reproduce
• Any proof-of-concept code or screenshots (if relevant)
• The potential impact, including what data or actions might be exposed
• Your preferred contact information for follow-up

Note: For highly sensitive information that should not be transmitted via email, please indicate this in your initial report. We will work with you to establish a mutually agreeable secure information sharing process as needed.

4. Safe harbor and testing guidelines

We support good-faith security research. If you follow the guidelines below, we will not pursue or support legal action related to your research.

Good-faith guidelines:

• Do not access, modify, or delete data that is not your own.
• Do not perform actions that degrade the service (for example: denial of service).
• Do not use social engineering, phishing, or physical attacks.
• Limit testing to the minimum necessary to demonstrate the issue.
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and address it.

5. What you can expect from us

For valid reports, we will use best efforts to:

• Acknowledge receipt within 5 business days.
• Request additional information if needed to reproduce the issue.
• Provide status updates when meaningful progress is made.
• Work to mitigate risk, which may include temporary mitigations before a permanent fix is available.

Response times and remediation timelines depend on complexity, severity, and third-party dependencies. We do not guarantee a specific fix date.

6. Coordinated disclosure

We prefer coordinated disclosure. If you plan to publish details, please coordinate timing with us. If a public disclosure is necessary, we ask that you first provide sufficient time for investigation and mitigation.

7. Bug bounty

Email Cheat Code / WatchMyInbox does not currently operate a paid bug bounty program. We appreciate responsible disclosure and will acknowledge valid reports privately upon request.

8. Changes to this policy

We may update this policy from time to time. The current version will be made available on request.

9. Contact Information