Sentinel StudioSentinel Studio
Available · 2026Start a project

Security

Responsible Disclosure Policy

We take the security of our website and our clients' digital properties seriously. If you've discovered a vulnerability, we want to hear from you.

Last updated: 3 May 2026

Our commitment to researchers

We are committed to working with the security community to identify and resolve vulnerabilities responsibly. We will make every effort to acknowledge your report promptly, keep you informed of our progress, and credit your contribution publicly — with your permission.

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided they adhere to the guidelines on this page.

How to report a vulnerability

Please report security issues through one of the following channels:

What to include in your report:

  • A clear description of the vulnerability and its potential impact
  • The affected URL(s) or component(s)
  • Step-by-step reproduction instructions
  • Proof-of-concept (screenshots, video, or code) — required, not optional
  • Your name or alias for acknowledgment (optional)

Encrypt sensitive reports using PGP if you have our public key, or use WhatsApp's end-to-end encryption for initial contact.

Response timeline

48h

Initial acknowledgment of your report

7 days

Status updates while the issue is under investigation

We aim to resolve confirmed vulnerabilities as quickly as possible. Remediation timelines depend on severity and complexity. We will notify you when the issue has been resolved and confirm before publishing any public disclosure.

Scope

In scope

  • sentinelstudio.ma and all subdomains (e.g. *.sentinelstudio.ma)
  • Authentication and session management flaws
  • Cross-site scripting (XSS) and injection vulnerabilities
  • Sensitive data exposure or information disclosure
  • Broken access control or privilege escalation
  • Server-side request forgery (SSRF)

Out of scope

  • Denial-of-service (DoS/DDoS) attacks
  • Social engineering, phishing, or physical attacks
  • Third-party services or infrastructure we do not control
  • Automated scanner output without a working proof of concept
  • Vulnerabilities in outdated browsers or platforms not in our supported matrix
  • Missing security headers or best-practice flags without demonstrated exploitability
  • Rate limiting on non-sensitive endpoints

Safe harbor

We consider security research conducted in accordance with this policy to be authorized activity. We will not initiate legal action against you for accidental, good-faith violations of this policy. We will work with you to understand and resolve the issue quickly.

To qualify for safe harbor, your research must not:

  • Access, modify, or delete data belonging to others
  • Disrupt or degrade our services
  • Exploit the vulnerability beyond what is needed to demonstrate it
  • Disclose the vulnerability publicly before we have had a reasonable time to remediate

Acknowledgments

We credit researchers who disclose vulnerabilities responsibly. With your permission, your name or alias will appear on our Security Acknowledgments page. Let us know how you'd like to be credited in your report.

No bug bounty program

Sentinel Studio does not currently operate a paid bug bounty program. We cannot offer financial rewards for vulnerability disclosures. We do, however, deeply value the time and expertise of security researchers and will acknowledge every valid, responsibly disclosed report.

Ready to report?

Email security@sentinelstudio.ma or message us on WhatsApp.