Skip to content
Sous-Chef
Sign inSign up
Legal

Security & Vulnerability Disclosure

We take the security of personal information seriously. If you have found a vulnerability in Sous-Chef, please tell us. This page explains how, what we will do in return, and the small set of things we ask you not to do.

How to report

Email: security@sous-chef.co.za

For anything that involves data already accessed or that you consider time-sensitive, please mark the subject line URGENT — SECURITY. The mailbox is monitored by the Information Officer; we aim to acknowledge within one business day.

If you would like to encrypt your report, our PGP public key is available at /.well-known/security-pgp.asc. Fingerprint: TBD — to be published before public launch.

What to include

  • A description of the issue, the affected URL or endpoint, and the impact you believe it has
  • Steps to reproduce — short, deterministic, and from a clean account if possible
  • Any proof-of-concept code, request/response captures, or screenshots (please redact any third-party PII)
  • Your name (or a handle) and how you would like to be credited if a fix ships

What we will do

  • Acknowledge receipt within one business day
  • Investigate and confirm or refute the finding within 7 days for High/Critical issues; 21 days for Medium/Low
  • Keep you updated as we triage and remediate
  • Credit you publicly on this page once a fix is shipped, unless you ask us not to
  • Where a remediation requires customer-organisation action, notify those customers promptly

If a report turns out to describe an actual personal-information breach, we follow the procedure in our internal breach-response runbook and notify the Information Regulator and affected data subjects in line with POPIA s22.

Safe-harbour commitments

When you act in good faith and within the rules below, Sous-Chef will not pursue civil action against you and will work with you if a third party (for example, a hosting provider) raises a complaint about your testing activity.

  • Investigate only accounts you control or accounts you have explicit permission to test
  • Stop testing and report immediately if you encounter personal information that is not your own
  • Do not exfiltrate, retain, or share any personal information you encounter — confirm presence and stop
  • Do not run automated scanners that meaningfully degrade service for other customers
  • Give us a reasonable window to remediate before public disclosure (we suggest 90 days; less if there is an active threat)

Out of scope

The following are usually not vulnerabilities we will treat as reportable findings. We list them only to save your time:

  • Missing security headers without a demonstrated impact
  • Self-XSS that requires the victim to paste content into their own browser console
  • Findings against staging or development hostnames not in the active deployment
  • Email-spoofing reports about domains we don't use for outbound mail
  • Reports purely about rate-limiting, brute-force, or denial-of-service that do not affect data integrity or confidentiality

Hall of fame

We will list researchers who have helped us improve here, once the first report has been resolved. Thank you in advance.

Related

For data-subject requests (access, correction, deletion), please see contact our Information Officer. For our broader privacy posture, see the privacy policy.

← Back to home