SAKURA SKY SECURITY DISCLOSURE POLICY

OVERVIEW
At Sakura Sky (www.sakurasky.com), the security of our infrastructure and the protection of our users' data are paramount. We appreciate the efforts of security researchers who help us maintain a robust security posture. This policy outlines the scope, expectations, and exclusions for reporting vulnerabilities.

REPORTING SCOPE
We encourage the reporting of high-impact vulnerabilities directly related to our primary web presence. This includes:

* Critical flaws in web server configurations.
* Vulnerabilities in website code (e.g., SQLi, XSS, SSRF).
* Potential data breaches or unauthorized access to sensitive information.
* Architectural flaws that compromise the integrity of our services.

STRICT EXCLUSIONS & OUT-OF-SCOPE ISSUES
To ensure our team focuses on genuine, high-severity threats, the following are strictly excluded from our bounty program and disclosure policy:

* AUTOMATED SCANNER RESULTS: We perform regular, comprehensive scanning using industry-standard tools (including Tenable Nessus and OWASP ZAP). We have full visibility and acceptance of these results. Reports that simply replicate findings from these or similar automated tools will be rejected.
* LOW-IMPACT / TRIVIAL BUGS: Issues that do not pose a direct risk to user data or system integrity, such as clickjacking on non-transactional marketing pages or missing security headers that do not lead to a direct exploit.
* INFORMATIONAL FINDINGS: TLS/SSL best practices (e.g., certificate transparency, cipher suites) unless a specific, exploitable vulnerability is demonstrated.

SUBMISSION GUIDANCE
To help our team validate and remediate issues efficiently, reports must be comprehensive. A valid submission must include:

* Summary: A brief description of the vulnerability and its potential impact.
* Reproduction Steps: A clear, step-by-step guide to reproducing the issue.
* Proof of Concept (PoC): Screenshots, scripts, or video captures.
* Recommendations: Suggested remediation steps to mitigate the risk.

BOUNTY PROGRAM
Sakura Sky maintains a reward structure for valid, non-trivial security vulnerabilities. Eligibility for rewards is determined at our sole discretion based on the severity and novelty of the report. Detailed reward tiers and eligibility criteria are provided upon the validation of a successful report.

COMMUNICATION & DISCLOSURE
Please submit all findings to our security team via the channels specified in our security.txt file. We ask that you provide us a reasonable amount of time to resolve the issue before any public disclosure.

CONTACT: responsible-reporting@cypherhub.cloud
POLICY VERSION: 1.1
LAST UPDATED: March 2026