SPORT COMMUNITIES GROUP – SECURITY POLICY
Last updated March 5, 2026
PURPOSE
This Security Reporting & Vulnerability Disclosure Policy outlines how to responsibly report security issues in systems and services owned or operated by Sport Communities Group. It is designed to support coordinated vulnerability handling and improve our security posture while minimizing risk to users.
CONTACT INFORMATION
To report a potential security issue, please contact us:
- Email: [email protected]
- Contact Form: https://sportcommunities.group/contact
- Phone: +1-323-529-3208
- Suggested subject: Security Report – [Short Description]
- If an active exploitation is happening, include “URGENT” in the subject line.
If you require an alternative secure reporting channel, please request it in your initial email.
WHAT TO INCLUDE IN A REPORT
Please include enough detail to allow for a reliable assessment:
- A clear description of the issue and its potential impact.
- The exact URL(s), service(s), or asset(s) affected.
- Steps to reproduce the issue.
- Proof of concept, screenshots, or logs.
- Your contact information for the ability to follow up.
SCOPE
This policy applies to systems and assets that are:
- Owned or operated by Sport Communities Group.
- Accessible over public networks and used by customers, vendors, staff, or the general public.
If the issue involves third‑party infrastructure, please include evidence showing the impact on our systems.
AUTHORIZED SECURITY TESTING
We authorize vulnerability research under the following conditions:
- You have written permission (e.g., contract, SOW, authorized program).
- You follow any signed rules of engagement.
Examples of authorized testing may include:
- Controlled phishing or social‑engineering assessments.
- Red‑team activity with explicit consent.
- Other testing agreed in advance.
SAFE HARBOR
If you act in good faith and follow this policy:
- We aim to treat your research as authorized for coordinated vulnerability disclosure.
- We will not pursue legal action for your report.
Good‑faith testing includes:
- Avoiding privacy violations and data destruction.
- Not disrupting production services.
- Limiting access only to the data necessary to demonstrate the issue.
- Stopping testing after obtaining proof.
- Reporting findings promptly.
- Not sharing, retaining, or reusing any non-public data.
OUT-OF-SCOPE ACTIVITIES
The following activities are generally not authorized unless specifically permitted in writing:
- Social engineering, phishing, or red‑team tests without permission.
- Physical attacks requiring on‑site access.
- Denial‑of‑Service (DoS/DDoS) testing.
- Exploits reliant on outdated software with no server‑side impact.
- Reports without reproducible evidence.
RESPONSE TARGETS
We strive to:
- Acknowledge reports within 2 business days.
- Provide a triage/status update within 5 business days.
- Work risk‑based toward remediation.
Actual timelines depend on issue complexity and severity.
PUBLIC DISCLOSURE
Please do not publicly disclose vulnerabilities until remediation is complete OR a coordinated disclosure timeline has been agreed upon in writing.
BUG BOUNTY
We currently do not operate a paid bug bounty program.
POLICY PUBLICATION
Machine-readable reporting details are published at:
- https://sportcommunities.group/security.txt
- https://sportcommunities.group/.well-known/security.txt
- https://[scgCommunity]/security.txt
- https://[scgCommunity]/.well-known/security.txt
ACKNOWLEDGEMENTS
We appreciate responsible reports that improve security. Public credit can be coordinated after remediation.