Vulnerability Disclosure Policy

1. Introduction

The security of our platform — and the trust of the customers, recruiters, and candidates who rely on it — is a top priority for Casuro. We believe collaboration with skilled security researchers is an essential part of keeping our users safe.

This policy describes how to report a potential security vulnerability in Casuro, what is and isn't in scope, and the commitments we make to researchers acting in good faith.

2. How to Report

Please email security@casuro.ai with the details of your finding. To help us validate and reproduce the issue quickly, please include:

• A clear description of the vulnerability and its potential impact
• The affected URL(s), endpoint(s), product feature, or component
• Step-by-step instructions to reproduce, including any required payloads or example requests
• Screenshots, video, or proof-of-concept code where helpful
• Your name or handle (if you wish to be credited) and any preferred contact method

If your report contains particularly sensitive information, indicate so in the subject line and we will coordinate a secure channel before you share details.

3. Our Commitments

When you report a vulnerability to us in line with this policy, we will:

• Acknowledge receipt of your report within five (5) business days
• Provide an initial assessment within ten (10) business days, and keep you informed as we investigate and remediate
• Work to validate, prioritize, and remediate confirmed vulnerabilities — aiming to remediate critical-severity issues within seven (7) days where feasible
• Notify you when the issue is resolved, and credit your contribution in any public acknowledgment (with your permission)
• Not pursue legal action against researchers who comply with this policy in good faith

4. Safe Harbor

Casuro will not initiate legal action against — and will work to waive any restrictions in our terms that would prohibit — security research conducted in accordance with this policy. In particular, we consider activity authorized under this policy to be:

• Authorized in view of any applicable anti-hacking laws (such as the U.S. Computer Fraud and Abuse Act), and we will not bring a claim against you for accidental, good-faith violations
• Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumventing technical controls you find
• Exempt from restrictions in our Terms of Service that would interfere with conducting security research, but only to the extent necessary to comply with this policy

If at any time you are uncertain whether a specific action is consistent with this policy, please contact us at security@casuro.ai before proceeding. Safe harbor does not apply to violations of this policy or actions taken in bad faith.

5. Scope

The following Casuro-owned properties are in scope for this policy:

• The Casuro application and APIs hosted under casuro.ai and its subdomains
• Public candidate-facing endpoints, including the careers portal hosted under jobs.casuro.ai
• Casuro's marketing website at www.casuro.ai
• The Casuro mobile and web clients, including their backend interactions

Vulnerabilities in third-party sub-processors (see our Security page) should be reported directly to those providers under their respective disclosure programs. We are happy to help coordinate when appropriate.

6. Out of Scope

The following activities and finding categories are not authorized under this policy, and reports of this nature will typically be closed as informational:

• Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks, volumetric or otherwise
• Spam, social engineering, or phishing of Casuro employees, contractors, customers, or candidates
• Physical attacks against Casuro offices, infrastructure, or personnel
• Automated vulnerability scanning that generates excessive traffic
• Reports generated solely from automated tools without evidence of exploitability
• Missing security headers, CSP weaknesses, or cookie attributes without a demonstrated security impact
• Self-XSS, clickjacking on pages without sensitive actions, or tabnabbing
• Username or email enumeration without further impact
• Lack of rate limiting on endpoints without demonstrated abuse
• Vulnerabilities in unsupported browsers or end-of-life software
• Issues that require physical access to a user's device or that depend on a compromised endpoint
• Findings in third-party services that do not affect Casuro data

7. Researcher Guidelines

While conducting research under this policy, please:

• Only interact with accounts you own or for which you have the account holder's explicit written permission
• Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or modification of data
• Stop immediately and contact us if you encounter user data, personally identifiable information, or proprietary information
• Do not store, share, or use any data you encounter beyond what is necessary to demonstrate the vulnerability
• Give us a reasonable amount of time to respond to and remediate the issue before publicly disclosing it
• Do not request payment or bounty in exchange for withholding disclosure — Casuro does not operate a paid bug bounty at this time, though we are grateful for and acknowledge contributions

8. Policy Updates

We may update this policy from time to time. The current version is always available at casuro.ai/vulnerability-disclosure. Material changes will be reflected in the "Last Updated" date above.

9. Contact