Security Policy

Responsible disclosure policy for SMOP and pendali.com. Last updated: May 2026.

Our commitment

Pendali takes the security of the SMOP platform and the data of the municipalities we serve seriously. We support responsible disclosure and are committed to working with security researchers in good faith to identify and remediate vulnerabilities quickly. If you discover a security issue, we want to hear from you — without fear of legal action for acting in good faith.

In scope

  • pendali.com and www.pendali.com — marketing website
  • SMOP web admin dashboard
  • SMOP REST API
  • SMOP iOS and Android mobile applications
  • Authentication flows, authorisation, and session management
  • Data exposure, injection, broken access control, and privilege escalation vulnerabilities

Out of scope

  • Cloudflare infrastructure, CDN, or WAF configuration
  • Third-party services (Google Analytics, authentication providers)
  • Social engineering or phishing attacks targeting Pendali staff or customers
  • Physical security attacks
  • Denial-of-service (DoS / DDoS) and resource-exhaustion attacks
  • Automated scanning or fuzzing that generates load above normal traffic patterns on production
  • Vulnerabilities in software not operated by Pendali
  • Issues requiring physical access to an end user's device
  • Self-XSS and issues exploitable only by the reporter themselves
  • Missing security headers or TLS configuration issues on non-sensitive static pages (informational only)

Safe harbor

Security research conducted in accordance with this policy is authorised and will not be the basis for civil or criminal action by Pendali. We grant a limited exemption from the restrictions in our Terms of Use solely for good-faith security testing activities.

We ask that you reciprocate: limit testing to accounts you own or have explicit permission to test, stop immediately if you encounter personal data belonging to any citizen, municipal staff, or third party, and do not exploit a vulnerability beyond the minimum necessary to demonstrate it.

Rules of engagement

During security research you must not:

  • Access, copy, modify, or delete data you do not own
  • Degrade the performance or availability of production systems
  • Test against accounts belonging to other users without their explicit permission
  • Perform social engineering, phishing, or physical intrusion attempts
  • Publicly disclose the vulnerability before we have confirmed a fix is in place
  • Use automated tools in a manner that generates excessive server load

How to report

Email [email protected] with the subject line "Security Disclosure — [brief description]".

Please include:

  • A clear description of the vulnerability and its potential impact
  • The affected URL, API endpoint, or application component
  • Step-by-step reproduction instructions
  • Screenshots, recordings, or proof-of-concept code (as applicable)
  • Your severity assessment — Critical / High / Medium / Low
  • Whether any personal or municipal data was accessed during testing

No specific template required — a clear, factual description is sufficient.

Response timeline

Acknowledgment of reportWithin 48 hours
Triage and severity confirmationWithin 5 business days
Remediation — Critical / HighWithin 30 days
Remediation — MediumWithin 60 days
Remediation — Low / InformationalWithin 90 days

We will keep you informed throughout. If a complex fix requires more time we will communicate proactively and agree a disclosure date with you.

Recognition

We do not currently offer a monetary bug bounty. Researchers who report valid, in-scope vulnerabilities will be acknowledged by name or pseudonym in the section below — unless you prefer to remain anonymous. We genuinely value responsible disclosure: good security research makes SMOP safer for every municipality and citizen we serve.

Acknowledgments

No disclosures to date. Be the first — responsible disclosure welcomed.