Denaee Responsible Disclosure Policy

At Denaee, we are committed to maintaining the highest standards of security for our customers, partners, and employees. Protecting our digital platforms, financial systems, and customer data is a top priority. We recognise the invaluable role that ethical security researchers, security professionals, and members of the public play in identifying and reporting potential vulnerabilities within our systems. This Responsible Disclosure Policy outlines how vulnerabilities should be reported and the expectations we set for responsible disclosure.

Commitment to Security and Transparency

Denaee takes cybersecurity seriously and has robust security measures in place to safeguard our infrastructure, applications, and data. Despite these efforts, we acknowledge that no system is completely immune to vulnerabilities. 

To further enhance our security framework, we encourage responsible disclosure of any security weaknesses that may be discovered within our systems.

We believe in a transparent and cooperative approach to security and will work closely with security researchers to address identified vulnerabilities promptly and effectively. Our aim is to protect our users while fostering a collaborative relationship with the security community.

Scope of the Responsible Disclosure Policy

This policy applies to all digital services provided by Denaee, including but not limited to:

• Denaee’s super app and fintech platforms

• Web-based platforms and mobile applications

• APIs and payment processing systems

• Internal administrative portals and third-party integrations

We encourage responsible reporting of vulnerabilities that may pose a risk to the confidentiality, integrity, or availability of our systems. However, this policy does not apply to issues such as:

• Outdated software versions that are no longer in use or actively maintained

• General best practice recommendations rather than exploitable security vulnerabilities

• Reports based on automated scans without a clear proof of concept

• Social engineering attacks targeting Denaee employees, customers, or partners

Guidelines for Responsible Disclosure

To ensure an ethical and constructive approach to vulnerability disclosure, we request that all reports adhere to the following guidelines:

• Act in Good Faith: Any security research conducted on Denaee’s systems should be done in a responsible and ethical manner, with no intent to disrupt services, steal data, or cause harm to users.

• Provide Sufficient Details: Reports should include a clear and concise description of the vulnerability, steps to reproduce it, potential impact, and any suggested remediation. Proof of concept (PoC) examples or screenshots can significantly aid in the resolution process.

• Avoid Data Exposure: Researchers should not access, modify, store, or share any sensitive customer data as part of their research. If any data is inadvertently accessed, it must be immediately reported and not disclosed further.

• No Service Disruptions: Any testing should avoid activities that could cause service interruptions, system degradation, or unauthorised access to customer accounts.

• Comply with Applicable Laws: All vulnerability research must comply with relevant laws and regulations. Unauthorised access, data theft, or malicious intent will be considered a breach of this policy.

How to Report a Security Vulnerability

If you believe you have discovered a vulnerability within Denaee’s systems, we encourage you to report it to us as soon as possible through the following process:

1. Submit a Report: Contact Denaee’s security team via our designated security disclosure email, hello@denaee.com. Include all necessary details to help us assess the risk.

2. Acknowledge Receipt: Our security team will acknowledge the report within three business days and may request further information for investigation.