SECURITY
Vulnerability Disclosure Program
Last Modified: 2025-07-16
We are committed to the security of our community. This program outlines how to contact us to report potential vulnerabilities.
Introduction
Holy Spirit Connect Ministries (HSCM) is committed to maintaining the security of our systems and data. If you believe you have identified a potential security vulnerability, please share it with us by following the submission guidelines below.
Thank you in advance for your submission. We appreciate researchers assisting us in our security efforts.
Vulnerability Disclosure Program Guidelines
Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not engage in any activity that can potentially cause harm to HSCM, our members, users, or our staff.
• Once a vulnerability has been discovered, stop all related activity, and notify us immediately.
• Provide HSCM reasonable time to fix any reported issue before making any information public.
Prohibited Actions
Security researchers are expected to act responsibly and cause no harm. The following actions are outside of the scope of this program and are strictly prohibited:
• Phishing
• Social engineering
• Denial-of-service attacks
• Resource exhaustion attacks
• Any violation of the HSCM Privacy Policy
• Testing of any third-party services
• Use of any vulnerability to exfiltrate data, gain persistent command-line access, or facilitate lateral movement within our systems
In-Scope Assets
• *.holyspiritconnect.org
• The official HSCM Android Application
Out-of-Scope Vulnerabilities
The following vulnerabilities are out of scope and should not be submitted:
• Theoretical vulnerabilities that cannot be proven in practice.
• WordPress Username Enumeration (if applicable to any sub-domains).
• Information related to server status or version.
• Enumeration of directories, files, or assets.
• Findings related to password strength policies.
• Login/Logout/Unauthenticated/Low-impact Cross-Site Request Forgery (CSRF).
• Self-exploitation (e.g., modifying your own user data).
• Any service or libraries not directly hosted or controlled by HSCM.
• Valid bugs or best-practice issues that are not directly related to the security posture of HSCM.
Submission Instructions
When reporting a potential vulnerability, please include a detailed summary, including the target, steps to reproduce, tools, and artefacts used during the discovery.
Submit your findings to: security@holyspiritconnect.org
As a non-profit ministry, Holy Spirit Connect Ministries does not operate a public bug bounty program, and we make no offer of reward or compensation in exchange for submitting potential issues. Recognition in our “Public Acknowledgements” section will be given for vulnerability reports not currently known by us.
Disclaimers
Any good-faith activities conducted consistent with this program will be considered authorized conduct, and we will not initiate legal action against you. HSCM reserves the right to change or cancel this program at any time.
Security Research Honourees
Holy Spirit Connect Ministries is dedicated to protecting our users and upholding our commitment to our mission. Partnering with security researchers is just one way we help keep our community safe, and we’d like to thank those who’ve contributed to our Vulnerability Disclosure Program.
Thank you for helping keep Holy Spirit Connect safe.