1. Purpose

Check-in Scan is committed to maintaining the confidentiality, integrity, and availability of its systems and customer data.

This policy defines the process for the responsible reporting and handling of security vulnerabilities in accordance with industry best practices, including ISO/IEC 27001 and ISO/IEC 29147.

2. Scope

This policy applies to all digital assets owned, operated, or controlled by Check-in Scan, including but not limited to:

• https://www.checkinscan.com
• https://www.checkinscan.net
• https://www.checkinscan.it
• https://www.checkinscan.pt
• All associated subdomains (e.g. *.checkinscan.com, *.checkinscan.net, *.checkinscan.it, *.checkinscan.pt)
• Web applications, APIs, mobile applications, and backend systems
• Cloud infrastructure and supporting services

This policy applies regardless of geographic location or hosting environment.

3. Reporting a Vulnerability

If you believe you have identified a security vulnerability, please report it to:

📧 security@checkinscan.com

Please include:

• Description of the vulnerability
• Steps to reproduce
• Proof-of-concept (where applicable)
• Potential impact assessment
• Your contact information

4. Our Commitment

Upon receiving a report, Check-in Scan will:

• Acknowledge receipt within a reasonable timeframe
• Assess and validate the reported vulnerability
• Prioritise remediation based on risk and impact
• Take appropriate corrective actions
• Maintain communication with the reporter where appropriate

5. No Bug Bounty / Compensation

Check-in Scan does not operate a bug bounty program.

We do not provide monetary rewards or compensation for unsolicited vulnerability reports.

Submission of a vulnerability report does not create any expectation of payment or contractual relationship.

6. Responsible Disclosure Requirements

Security researchers must:

• Act in good faith and avoid privacy violations
• Not exploit vulnerabilities beyond what is necessary to demonstrate their existence
• Not access, alter, or exfiltrate data belonging to others
• Not disrupt services (e.g., DoS, brute force, automated scanning causing degradation)
• Not use social engineering, phishing, or physical intrusion techniques
• Not attempt lateral movement within systems

7. Non-Disclosure and Publication

• Public disclosure of vulnerabilities is strictly prohibited without prior written authorization from Check-in Scan
• Researchers must allow sufficient time for remediation before any coordinated disclosure
• Unauthorized disclosure may result in legal action

8. Legal Safe Harbour

Check-in Scan will not pursue legal action against individuals who:

• Comply with this policy
• Act in good faith
• Do not exploit vulnerabilities for personal gain or malicious purposes

Activities outside these conditions may be considered unlawful.

9. Handling of Reports (Internal Control Alignment)

All reported vulnerabilities will be:

• Logged and tracked within internal security processes
• Assessed according to risk management procedures
• Remediated in line with internal security controls
• Reviewed for root cause and preventative measures

This aligns with:

• Risk management (ISO 27001 Annex A)
• Incident management processes
• Continuous improvement practices

10. Abuse and Improper Conduct

The following behaviours are not permitted:

• Repeated or coercive requests for payment
• Attempts to pressure or threaten disclosure for compensation
• Submission of automated or low-quality reports without validation

Such actions may be treated as harassment and reported to the relevant authorities.

11. Policy Governance

This policy is maintained as part of Check-in Scan’s Information Security Management System (ISMS) and is subject to periodic review.

Thank You

We appreciate the contribution of security researchers who act responsibly and help us improve the security of our platform.