SERRACOM's

Responsible Vulnerability Disclosure Policy

At Serracom, the security of our systems, data, and services is a top priority.

We are committed to protecting our clients, including T-Mobile, and maintaining the integrity of the telecommunications infrastructure we support. If you believe you’ve discovered a security vulnerability in our systems, we encourage you to report it responsibly.

 How to Report a Vulnerability                     

To report a vulnerability, please email our compliance team at:
office@serracom.com
 
Include as much detail as possible:
- Description of the issue
- Steps to reproduce
- Any relevant screenshots or logs
- Your contact info (optional if you wish to remain anonymous)
 
We recommend using encryption (PGP) for sensitive reports. Public key available upon request.
 

What to Report:

Please report any suspected vulnerabilities related to:
- Unsecured access to systems or services (e.g., Site Docs, Scopeworker integrations)
- Flaws in our inventory, documentation, or credential handling processes
- Unauthorized access potential to sensitive client data or employee tools
- Insecure physical asset handling (e.g., equipment tagged but unprotected)
- Any other security issues that could impact Serracom operations or clients
 



SAFETY

EFFICIENCY

CUSTOMER SATISFACTION

PROJECT COMPLETION

When you report a vulnerability:
- We will acknowledge receipt of your report within 5 business days
- We will investigate the issue and keep you informed of progress
- We will resolve valid vulnerabilities promptly, prioritizing severity
- We will give you public recognition (optional) if the issue is confirmed and responsibly disclosed

Responsible Disclosure Guidelines


To help us keep our systems secure, we ask that you:

- Do not exploit the vulnerability beyond what’s necessary to prove its existence

- Do not access, modify, or delete any data

- Do not publicly disclose the issue until it has been resolved

- Avoid any activities that violate applicable laws or disrupt our services
 

Exclusions

We kindly ask you not to report the following:
- Spam or social engineering attempts not related to system vulnerabilities
- Outdated browser warnings or missing HTTP headers
- Use of public Wi-Fi or browser autofill behaviors
- Theoretical or non-exploitable issues with no real-world impact





Legal Safe Harbor


We support good-faith security research and will not pursue legal action against researchers who:
- Follow this disclosure policy
- Act responsibly and in good faith
- Avoid accessing unnecessary data
 
We are committed to working with the community to keep our systems      safe.






Contact us any time

Contact Us