sAPIm Coordinated Vulnerability Disclosure (CVD) Program

At Aquiva Labs, security and trust are foundational to how we build and operate sAPIm. We value responsible security research and encourage the reporting of potential vulnerabilities to help protect our customers and the broader Salesforce ecosystem.

This Coordinated Vulnerability Disclosure (CVD) program defines how security issues related to sAPIm should be reported and how we commit to handling them.

By submitting a vulnerability report, you agree to comply with the rules outlined below.

Scope

This program applies to:

  • sAPIm – Salesforce API Monitoring & Anomaly Detection App
  • All sAPIm-related services, configurations, and integrations operated by Aquiva Labs
  • The official sAPIm website: https://sapim.aquivalabs.com
  • sAPIm AppExchange package and related backend services

Out of scope:

  • Salesforce platform vulnerabilities not directly caused by sAPIm
  • Vulnerabilities in third-party services not controlled by Aquiva Labs
  • Denial-of-service attacks, social engineering, or physical attacks

Responsible Disclosure Guidelines

We ask that all researchers:

  • Act in good faith
  • Avoid accessing, modifying, or deleting customer data
  • Avoid disrupting production systems
  • Do not publicly disclose vulnerabilities before remediation or explicit permission
  • Comply with all applicable laws and regulations

How to Report a Vulnerability

Please report security vulnerabilities via email:

Email: jstefaniak@aquivalabs.com
(Field CTO, Aquiva Labs)

To help us efficiently triage and remediate issues, reports should include at minimum:

  1. Affected component or location
    (e.g., API endpoint, AppExchange package feature, UI area)
  2. Detailed reproduction steps
    Clear, step-by-step instructions to reproduce the issue
  3. Impact assessment
    Severity, exploitability, and potential attack scenarios
  4. Supporting evidence
    Screenshots, logs, HTTP responses, or other relevant artifacts
  5. Your contact information

Optional but helpful:

  • Proof-of-concept code
  • Short screen recording demonstrating the issue

What You Can Expect From Us

If you submit a report in good faith and include contact information, we commit to:

  • Acknowledging receipt within 5 business days
  • Reviewing and validating the report
  • Maintaining reasonable transparency about remediation progress
  • Coordinating responsibly until the issue is resolved or mitigated

Timelines for fixes may vary depending on severity, complexity, and Salesforce platform constraints.

No Monetary Rewards

  • This program does not offer financial rewards or bounties
  • By submitting a report, you acknowledge that:
    • You have no expectation of payment
    • You waive any future compensation claims related to the submission

At our sole discretion, we may acknowledge responsible reporters in release notes or private communications.

Legal & Administrative Notes

  • All submitted information is considered non-confidential and non-proprietary
  • Aquiva Labs may use reported information for remediation, security improvements, and internal documentation
  • Aquiva Labs reserves the right to:
    • Modify this CVD program at any time
    • Decline reports that do not follow responsible disclosure practices
    • Make case-by-case exceptions when appropriate
  • Aquiva Labs employees and contractors are excluded from participating

Feedback

We welcome feedback on this CVD program and suggestions for improving our security posture.

Email: jstefaniak@aquivalabs.com

Thank you for helping keep sAPIm and its users secure.