SHUA Team

Vulnerability Disclosure Policy

1. Introduction

SHUA is committed to maintaining the security and integrity of its products and services. This Vulnerability Disclosure Policy outlines the process by which external parties may report potential security vulnerabilities in a responsible and coordinated manner.

We appreciate the efforts of security researchers and others who identify vulnerabilities and report them in good faith in accordance with this policy. Please note that we do not offer financial compensation for vulnerability disclosures.

2. Scope

This policy applies to all digital products and services provided by SHUA where security vulnerabilities may arise.

3. Reporting a Vulnerability

If you have identified a security vulnerability, please report it to us via

Email: info@shuafitness.it

When submitting a report, please provide the following information to enable effective triage:

  • The URL, IP address, or product/system where the vulnerability was observed
  • A brief description of the vulnerability type
  • Step-by-step instructions to reproduce the issue, preferably using a non-destructive proof-of-concept

4. What to Expect

Upon receiving your report, we will:

  • Acknowledge receipt within 5 working days
  • Triage the vulnerability within 10 working days, where feasible
  • Provide status updates at least every 14 days while remediation is in progress
  • Notify you once the vulnerability has been remediated and, where applicable, invite you to verify the resolution
  • Coordinate with you if public disclosure is requested, to ensure any guidance to users is consistent

5. Rules of Engagement

You must not:

  • Engage in activities that violate any applicable laws or regulations
  • Access, modify, or destroy data that does not belong to you
  • Use high-impact scanning tools or denial-of-service techniques
  • Disrupt, degrade, or interfere with the organisation’s systems or services
  • Report non-exploitable vulnerabilities or general best practice deviations (e.g., missing headers or weak cipher suites)
  • Demand financial compensation for disclosing vulnerabilities
  • Attempt to phish, social engineer, or physically attack employees, contractors, or infrastructure
  • Share any details of the vulnerability outside the communication channels specified in this policy

You must:

  • Comply with all applicable data protection laws
  • Securely delete any data obtained during your research as soon as it is no longer required, or within one month of resolution—whichever occurs first
  • Refrain from publishing or discussing details of the vulnerability without prior coordination with SHUA

6. Legal Considerations

This policy is designed to align with responsible vulnerability disclosure best practices. However, it does not grant permission to act in any manner that would breach applicable law or cause harm to the organisation, its users, or its partners. Reports submitted in good faith will not be pursued for legal action, provided the reporter complies fully with this policy.