Bug Report

Last updated: 2025.09.27

1. Purpose

We are committed to the security and privacy of Somera services and customer data. We welcome security researchers who act in good faith and help us improve our products. If you discover a potential security issue, please report it promptly so we can validate and remediate it. We will work with you to understand the issue and its impact.

2. Contact

You can send an email to our Primary contact.

If encryption is required, send an email to request our PGP key.

Data deletion or account removal requests: check this page or send an email. We aim to respond within one month after receiving your request and any information needed to verify and locate your data.

3. Safe harbor for good faith research

We will not initiate or recommend legal action for security research performed and reported in good faith under these rules. This safe harbor applies to research that avoids privacy violations, service degradation, or data destruction, that uses only accounts you own or have explicit permission to test, and that follows the scope and rules below. It does not apply to actions that are unlawful or that violate these rules.

4. Supported products and services

You may test Somera owned properties and integrations that you administer:

• Somera web applications including progressive web apps and admin dashboards
• Somera APIs and endpoints exposed to your authorized accounts
• Connectors you have linked via OAuth to your own or authorized accounts on supported platforms
• Public facing pages on somera.com.tr and somera.social domains

Note: when testing features that access platform content or data, your testing must comply with the platform's own terms and policies. See also the "Relationship with Platform terms; compliance and revocation" section in Terms of Service.

5. Ground rules for testing

Make a good faith effort to avoid privacy violations, data destruction, or service interruption. Only interact with accounts you own or have explicit permission to test.

Do not attempt to access another user's data. Do not exfiltrate data beyond the minimum needed to demonstrate impact. If you encounter personal data, stop, minimize exposure, redact in your report, and delete any local copies after submission.

Do not use fuzzers, scanners, or high volume automated tools against our services. If your tests negatively impact the platform, stop immediately. We may block abusive traffic.

Never conduct social engineering, phishing, vishing, smishing, physical intrusion, or denial of service.

Follow platform policies for any connected account you administer.

6. What to include in your report

Please email us at security@somera.com.tr with:

• Descriptive title and summary of impact
• Affected product, environment, and URLs or endpoints
• Exact steps to reproduce, including any test account used
• Proof of concept: screenshots, short video, or minimal code sample
• Expected vs actual behavior
• Date and time of testing and approximate tester IPs to help us correlate logs
• Any relevant request or response samples with secrets and personal data redacted

We prefer one vulnerability per report unless chaining is required to demonstrate impact.

7. Our process and timelines

Acknowledge: We aim to acknowledge receipt within 3 business days.

Triage: We assess severity and scope promptly and may contact you for clarification.

Remediation: We prioritize fixes based on severity and impact.

Disclosure: We coordinate public communication with you. Please do not disclose publicly until we confirm remediation or agree on a timeline.

Thank you: We may offer recognition at our discretion. Somera is not legally obliged to pay any bounty.

8. Scope and out-of-scope

In scope:

• Authentication and authorization issues in Somera controlled apps and APIs
• Access control, privilege escalation, insecure direct object references
• Injection issues, server side request forgery under controlled proof, XSS, CSRF affecting authenticated sessions you own and administer
• Sensitive data exposure that does not require breaching another user's data

Out of scope, do not attempt or report the following:

• Denial of service or resource exhaustion, brute force or credential stuffing, or high volume automated scanning
• Physical vulnerabilities or attacks
• Social engineering, phishing, vishing, smishing, or attacks on our staff, users, or vendors
• Issues requiring self XSS, clickjacking only issues, general UI or UX bugs, spelling mistakes
• Descriptive error messages, 404s and other HTTP error codes, banner disclosures, public files like robots.txt, user enumeration, absence of rate limits
• CSRF on forms available to anonymous users like signup, login, contact

9. Privacy alignment

We request only the permissions necessary to moderate accounts you administer, and you can revoke access at any time in the relevant platform settings.

If your report includes personal data, please redact wherever possible. We use your report solely to investigate and fix the issue.

If an account becomes inactive under our Privacy Policy rules, Somera deletes the account and associated Platform Data after the 30 day grace period. For deletion requests, use the Deletion Request page.

10. Enforcement

If you violate these rules, including causing harm to users or systems or performing prohibited activities, we may block traffic, disable accounts, or take other actions as needed to protect users and services, and in some cases we may pursue legal remedies.