1. Introduction
Akçansa is committed to maintaining the highest standards of information security.
We invite security researchers to report any vulnerabilities discovered in our products, applications, or infrastructure in a responsible manner.
This policy describes how researchers can contact us, what rules must be followed, and the assurances Akçansa provides during the disclosure process.
2. Reporting Channels
You can reach us securely through the following channels:
Email: [email protected]
PGP Public Key: https://www.akcansa.com.tr/pgp/akcansa-pgp-public.asc
PGP Fingerprint: 2AC898996F6F4533B87824875BACEA1CC17AA1D7
Security.txt: https://www.akcansa.com.tr/.well-known/security.txt
VDP Submission Form: (optional)
3. Researcher Guidelines (Safe Harbor)
As long as you follow these rules, Akçansa will not pursue legal action against good-faith research:
Do not perform tests that could disrupt services (DoS/DDoS)
Avoid social engineering, phishing, or physical access attempts
Do not access, modify, store, or share personal/sensitive data
Only test your own accounts or dedicated test accounts
Share only minimal proof-of-concept (PoC) details
Do not publicly disclose exploit code
Our goal is to provide a safe environment for collaborative security research.
4. Timeline and Process
Acknowledgement: within 3 business days
Triage and initial assessment: within 7 days
Remediation timeline (based on CVSS score):
Critical ≥ 9.0 → 7 days
High 7.0–8.9 → 14 days
Medium 4.0–6.9 → 30 days
Low 0.1–3.9 → during scheduled maintenance
If a vulnerability is listed in KEV or evidence of active exploitation exists, timelines are accelerated.
5. Validation and Testing
Validation is preferably performed in a non-production environment
CVSS v3/v4 scoring is applied
A retest is conducted after remediation
6. Embargo and Coordination
The default embargo period is 90 days. An advisory is published once a fix or mitigation is available. This period may be extended or shortened upon mutual agreement.
7. Researcher Credit (Hall of Fame)
With consent, the researcher’s name or alias may be published in our Hall of Fame.
8. Disclaimer
This policy protects only good-faith security research. Malicious activity, data theft, or intentional damage is not protected under Safe Harbor.
9. Contact
For questions: [email protected]