Responsible Disclosure Policy

Effective Date: May 2026 | HyperMartX PTY (LTD), trading as ASI Technologies

1. Introduction

ASI Technologies values the security research community and recognises the important role that independent security researchers play in keeping our systems and our clients safe. This policy describes how to report vulnerabilities to us responsibly, what you can expect from us, and the guidelines we ask you to follow.

2. Scope

This policy covers vulnerabilities found in:

asitechnologies.co.za *.asitechnologies.co.za ASI Technologies APIs Client-facing SaaS platforms

The following are out of scope:

Third-party services Social engineering Physical security Denial of Service attacks

3. How to Report a Vulnerability

Please send your report to:

Email: security@asitechnologies.co.za

Subject Line: [VULN-REPORT] Brief description of the issue

PGP Key: Available upon request for encrypted submissions.

Your report should include:

A clear description of the vulnerability and its potential impact.
Step-by-step instructions to reproduce the issue.
The affected URL, endpoint, or system component.
Any relevant screenshots, logs, or proof-of-concept code.
Your contact details (we will only use these to communicate about the report).

4. Our Commitments

When you report a vulnerability in good faith and in compliance with this policy, we commit to:

Acknowledgement: We will confirm receipt of your report within 2 business days.
Assessment: We will evaluate the vulnerability and provide an initial assessment within 5 business days.
Remediation: We will work to resolve confirmed vulnerabilities as rapidly as possible, prioritising by severity.
Communication: We will keep you informed of our progress and notify you when the issue has been resolved.
Recognition: With your permission, we will credit you publicly for the discovery (unless you prefer to remain anonymous).
No Legal Action: We will not pursue legal action against researchers who comply with this policy.

5. Guidelines for Researchers

We ask that you:

Do not access, modify, or delete data that does not belong to you.
Do not degrade the performance or availability of our services (no DoS/DDoS testing).
Do not exploit a vulnerability beyond the minimum necessary to demonstrate it.
Do not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate it (we request a minimum of 90 days).
Do not use automated scanning tools against production systems without prior written approval.
Act in good faith and avoid violating the privacy of our users and clients.

6. Qualifying Vulnerabilities

Examples of issues we are interested in:

Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Server-Side Request Forgery (SSRF)
SQL Injection / NoSQL Injection
Authentication or authorisation bypasses
Remote Code Execution (RCE)
Sensitive data exposure
Insecure Direct Object References (IDOR)

7. Non-Qualifying Issues

Missing HTTP headers that do not directly lead to a vulnerability (e.g., missing X-Frame-Options on pages with no sensitive content).
Clickjacking on pages without state-changing actions.
Self-XSS (where the user can only attack themselves).
Issues in third-party components that we do not control.
Reports from automated scanners without a demonstrated real-world impact.

8. Legal Safe Harbour

ASI Technologies considers security research conducted in compliance with this policy to be authorised conduct. We will not initiate legal action against researchers who act in good faith and comply with the guidelines outlined above. This commitment is made in the spirit of the Cybercrimes Act, No. 19 of 2020, and in recognition of the value that the security community brings to the safety of the digital ecosystem.