Vulnerability Disclosure Policy – MaxMySales (MaxMySales)
Effective Date: January 17, 2026
MaxMySales (MaxMySales) welcomes security research to improve our WhatsApp Business API & CRM platform. This policy outlines safe reporting guidelines for good-faith researchers.
Scope
In Scope:
- MaxMySales.com
- core.MaxMySales.com
- API endpoints
- Web app (excluding third-party like Meta APIs, Razorpay)
Out of Scope:
- DDoS
- Social engineering
- Physical attacks
- Known issues in third-parties
- Low-impact like self-XSS
Reporting Guidelines
- Email ram@maxmysales.com with repro steps, impact, affected URLs.
- Use PGP if available (see /.well-known/security.txt).
- No public disclosure until fixed (90-day coordination).
- Safe harbor: No legal action for good-faith testing within scope.
What We Don't Want
- Automated vulnerability scanners.
- Attacks causing DoS.
- Spam or phishing simulations.
Response Times
- Acknowledgment: 3 business days.
- Resolution status: Weekly updates.