Springpoint Insights logoSpringpoint Insights

Security

Springpoint Insights Vulnerability Disclosure Policy

How to report security vulnerabilities affecting Springpoint Insights websites, applications, dashboards, APIs, demos, and services.

Effective date:

Overview

Tech Local takes security seriously. We welcome good-faith vulnerability reports for Springpoint Insights-operated websites, products, APIs, dashboards, demos, and services.

This is a Vulnerability Disclosure Policy, not a paid bug bounty program. We do not offer cash rewards. At our discretion, valid first reports may receive non-cash recognition such as public thanks, a LinkedIn recommendation, service credits, swag, or similar acknowledgement.

Scope

This policy applies to public-facing systems clearly operated by Tech Local for Springpoint Insights, including the public website, application routes, dashboards, APIs, demos, product sites, and related services.

If a system is not clearly operated by us, it is out of scope unless we confirm otherwise in writing.

Client websites, client applications, third-party services, cloud providers, open-source dependencies, payment processors, WhatsApp, email providers, AI model providers, and other vendor systems are out of scope. Please report vulnerabilities in third-party systems directly to the relevant provider.

If you are unsure whether something is in scope, email tech@eco-technology.co.za before testing.

How to Report a Vulnerability

Please email vulnerability reports to tech@eco-technology.co.za with "Security report" in the subject line.

Do not send vulnerability reports through social media, public comments, LinkedIn messages, or unrelated client/project channels.

What to Include

Please include enough detail for us to understand and reproduce the issue safely:

  • the affected product, domain, API, endpoint, or feature;
  • a short description of the vulnerability and potential impact;
  • clear reproduction steps;
  • screenshots, screen recordings, logs, request/response examples, or proof-of-concept code where helpful;
  • the account, role, browser, device, or environment used during testing;
  • whether you accessed any personal information, secrets, client data, production records, or third-party data; and
  • your contact details and whether you want public recognition if the report is valid.

Please do not include more personal information, secrets, or customer data than necessary to prove the issue. If you encounter sensitive data, stop testing immediately and report what happened.

Rules for Good-Faith Research

When testing, you must:

  • use only the minimum testing needed to confirm a vulnerability;
  • avoid privacy violations and avoid accessing, modifying, deleting, copying, or exfiltrating data that is not your own;
  • stop testing immediately if you encounter personal information, secrets, client data, production records, or third-party data;
  • avoid disrupting, degrading, or damaging any system, service, user experience, or data;
  • keep vulnerability details confidential until we have had a reasonable opportunity to investigate and remediate; and
  • comply with applicable law.

Testing We Do Not Authorise

This policy does not authorise:

  • denial-of-service or distributed denial-of-service testing;
  • spam, phishing, vishing, smishing, social engineering, or impersonation;
  • physical attacks, office access attempts, tailgating, or device theft;
  • malware, ransomware, destructive payloads, persistence, or lateral movement;
  • credential stuffing, password spraying, brute force, or testing with leaked credentials;
  • attempts to access, alter, delete, copy, or exfiltrate data that is not your own;
  • attempts to access employee, client, vendor, or third-party accounts;
  • high-volume automated scanning that could degrade service;
  • attacks against third-party providers or systems not operated by us;
  • public disclosure before we have had a reasonable opportunity to investigate and remediate; or
  • extortion, threats, or demands for payment.

Safe Harbor

If you make a good-faith effort to follow this policy, we will not initiate legal action against you for security research that is authorised by this policy.

This safe harbor only applies to activity that:

  • is limited to in-scope systems covered by this policy;
  • avoids privacy violations, disruption, degradation, destruction, or unauthorised access to data;
  • uses only the minimum testing needed to confirm a vulnerability;
  • stops immediately if sensitive data, personal information, secrets, or client data is encountered;
  • is reported to us promptly through the official reporting channel; and
  • is not publicly disclosed until we have had a reasonable opportunity to investigate and remediate.

This policy does not authorise social engineering, phishing, physical attacks, denial-of-service testing, spam, extortion, destructive testing, persistence, lateral movement, malware, or access to systems or data that are not your own.

If your activity is inconsistent with this policy, unlawful, harmful, or not in good faith, this safe harbor does not apply.

What to Expect From Us

We aim to acknowledge valid-looking reports within 5 business days.

We will review the issue, may ask for more information, and will prioritise fixes based on severity, exploitability, affected data, and business impact.

We do not guarantee a specific fix timeline, but we will make a good-faith effort to keep reporters updated on material progress.

Recognition and Rewards

Tech Local does not operate a paid bug bounty program and does not offer cash rewards.

At our discretion, we may provide non-cash recognition for valid, unique, first reports. This may include public thanks, a LinkedIn recommendation, service credits, swag, or similar acknowledgement.

Recognition is not guaranteed and is not available for reports that are out of scope, already known, not reproducible, low quality, generated by high-volume automated scanning, or submitted in a way that violates this policy.

Public Disclosure

Please do not publicly disclose a vulnerability or related details until we have had a reasonable opportunity to investigate and remediate it.

If you want to publish details after remediation, please coordinate with us first so we can avoid exposing users, clients, or systems to unnecessary risk.

Privacy and Data Protection

If a report indicates that personal information may have been accessed or acquired by an unauthorised person, we will assess our obligations under applicable data protection laws, including POPIA where relevant.

Do not retain, share, publish, or use any personal information, secrets, client data, production records, or third-party data encountered during testing.

Contact

Tech Local (Pty) Ltd

18 Rosyth Road, Nahoon
East London, Eastern Cape, 5241
South Africa

Security reports: tech@eco-technology.co.za

Support: tech@eco-technology.co.za