Vulnerability Disclosure Policy

Our Commitment

Adams Cloud & Cybersecurity is committed to the security of our website and services. We welcome responsible disclosure from security researchers. If you discover a vulnerability, we want to hear from you and will work with you to resolve it quickly.

Scope

This policy applies to the following systems:

• adamscloudcyber.com — primary website and all subpages
• API endpoints hosted under execute-api.us-east-1.amazonaws.com serving adamscloudcyber.com

The following are out of scope:

• Third-party services (Formspree, Google Analytics, AWS infrastructure itself)
• Denial-of-service attacks or automated scanning that disrupts service
• Social engineering attacks against our personnel
• Physical security

How to Report

Send your report to thabiti@adamscloudcyber.com with the subject line "Security Vulnerability Report". Please include:

• A description of the vulnerability and its potential impact
• Step-by-step instructions to reproduce the issue
• Any relevant screenshots, proof-of-concept code, or request/response captures
• Your name and contact information (optional — anonymous reports accepted)

You can also use our contact form for general inquiries.

Our Commitments to You

• We will acknowledge receipt of your report within 3 business days
• We will investigate and provide a status update within 14 days
• We will notify you when the vulnerability is resolved
• We will not pursue legal action against researchers who follow this policy in good faith
• We will credit you in our acknowledgments (if you wish to be named)

Responsible Disclosure Guidelines

We ask that you:

• Give us reasonable time to remediate before public disclosure (we request a minimum of 90 days)
• Avoid accessing, modifying, or deleting data that does not belong to you
• Avoid disrupting production services or degrading user experience
• Test only against accounts and data you own or have explicit permission to test
• Report the vulnerability to us before publicly disclosing it

What We Will Not Accept

• Vulnerabilities in third-party services not under our control
• Reports generated by automated scanners without manual verification
• Self-XSS, clickjacking on non-sensitive pages, or missing security headers without demonstrated impact
• Reports accompanied by demands for payment prior to disclosure

Recognition

We do not currently offer a bug bounty program. However, researchers who submit valid, in-scope reports will be acknowledged publicly (with their consent) and will receive our sincere thanks. As a Service-Disabled service-disabled veteran-owned small business (SDVOSB) (SDVOSB) cybersecurity consultancy, we deeply appreciate the security research community.