At Simbase, we are committed to maintaining the security of our systems and our customers' data. We provide global IoT connectivity services and understand the critical importance of safeguarding our in-house developed platform, which our customers rely on to manage their devices. We operate a responsible disclosure program and an active bug bounty program to reward security researchers who help us identify and fix vulnerabilities.
Our Commitment
We continuously monitor and improve our security measures to ensure the integrity and reliability of our services. If you believe you've found a security vulnerability within our platform, we encourage you to inform us discreetly, and we promise to investigate all legitimate reports promptly and thoroughly.
How to Report a Security Vulnerability
If you have discovered a potential security issue, please share it with us by following these steps:
Send your findings to security@simbase.com.
Include sufficient information to reproduce the problem, so we will be able to resolve it as swiftly as possible. Complex vulnerabilities may require further explanation than less complex ones.
Disclose the vulnerability to us confidentially, and do not share it with others until we have had a chance to address it.
Security Disclosure: Our security contact information is published at simbase.com/.well-known/security.txt in accordance with RFC 9116, which may also be used to report security vulnerabilities.
Our Promise
We will acknowledge receipt of your vulnerability report within 32 hours.
We will communicate with you to understand the scope of the vulnerability and will work with you to validate and resolve the issue.
We will handle your report with strict confidentiality, and we will not share your personal details with third parties without your permission.
We will keep you informed of our progress during the investigation and resolution stages.
We aim to resolve any verified vulnerabilities within a reasonable time frame and will release an update as soon as possible.
Bug Bounty Program
Simbase rewards valid and qualified security vulnerability reports through our bug bounty program. We work with security researchers worldwide to identify and resolve security issues. Accepted reports may be eligible for monetary rewards and additional recognition.
Scope
In Scope
The following areas are eligible for bug bounty rewards:
simbase.com and all subdomains (excluding third-party hosted services)
REST API endpoints and authentication mechanisms
Dashboard and account management systems
Authentication systems (SSO, OAuth, API keys, token validation)
IoT infrastructure (device communication protocols, network security, data transmission)
Out of Scope
The following issues are not eligible for bounty rewards:
Findings from automated tools or scans without manual validation
Third-party applications, services, or devices that interact with our platform
Denial of Service (DoS, DDoS) vulnerabilities
Mobile applications (unless explicitly included in a specific bounty program)
Attacks targeting Simbase customers or end users (not our systems)
Rate limiting bypass without demonstrable impact
Missing HTTP security headers without exploitable impact
SPF, DKIM, or DMARC configuration issues
Content injection vulnerabilities without confirmed exploitability
Issues requiring physical access to infrastructure
Social engineering or phishing attacks against Simbase employees
Eligibility
To qualify for bug bounty rewards, you must:
Not be a current or former Simbase employee, contractor, or consultant (within the past 6 months)
Not be located in a sanctioned jurisdiction where legal restrictions apply
Be at least 18 years old (or have parental consent and a legal guardian's written permission)
Comply with all applicable laws in your jurisdiction
Be the first reporter of the vulnerability (the bounty goes to the first valid report received)
Follow this policy in full, including confidentiality requirements
Rewards
Qualifying vulnerability reports receive:
Reward eligibility criteria:
The vulnerability must be previously unreported to Simbase
The vulnerability must have a demonstrable security impact
The report must include sufficient detail to reproduce the issue
The researcher must follow this policy in full
Simbase reserves the right to determine severity and reward eligibility
Severity classification (for context):
Critical: Remote code execution, authentication bypass, access to sensitive customer data
High: Privilege escalation, significant data exposure, IDOR with sensitive data access
Medium: Stored XSS, CSRF on sensitive actions, information disclosure of internal systems
Low: Reflected XSS with limited impact, verbose error messages, minor information leaks
Note: Simbase reserves the right to adjust rewards based on severity and impact. Reports of low or informational severity may receive acknowledgment without a bounty reward.
Safe Harbor
Security researchers who follow this policy in good faith are protected under our safe harbor provision:
We will not pursue legal action against you for security research conducted according to this policy
We consider authorized research that adheres to this policy to be lawful under applicable legal statutes
We ask that you refrain from any activity that could harm Simbase or our customers, including but not limited to:
Privacy violations or unauthorized access to personal data
Data destruction or corruption
Interruption or degradation of services
Over-exploitation of vulnerabilities beyond what is necessary to demonstrate impact
Public disclosure before we have had a reasonable opportunity to patch (minimum 90 days)
Simbase is dedicated to working with the security community to find and fix security issues within our services. Together, we can keep our shared digital ecosystem safe and secure.
Contact
For security vulnerability reports or questions about this policy:
We appreciate your responsible disclosure and your contribution to the security of the Simbase platform.
