Skip to content
← Back to legal documents

Security & Responsible Disclosure Policy

Effective Date: 14 October 2025

English

Contact: security@komerza.com

1. Purpose

UAB Komerza ("Komerza", "we", "our") is committed to maintaining the confidentiality, integrity, and availability of its systems and the data entrusted to it. This policy defines how external security researchers, merchants, and third parties can responsibly disclose potential vulnerabilities in Komerza-operated systems.

2. Scope

This policy applies to the following assets:

  • Production domains under komerza.com, mykomerza.com, and komerza-preview.com.
  • The Komerza Builder dashboard and associated web applications.
  • Komerza's public APIs (e.g. api.komerza.com).

Testing outside these assets (including internal infrastructure, employee systems, or third-party suppliers) is not authorised without prior written consent.

3. Reporting a Vulnerability

Reports should be submitted to security@komerza.com and must include:

  • A clear description of the vulnerability and its potential impact.
  • Steps to reproduce the issue.
  • Any relevant proof-of-concept data or screenshots.

Komerza will acknowledge receipt within 7 business days and aim to provide an initial triage or response within 10 business days.

4. Prohibited Activities

To protect users, researchers must not:

  • Exploit, modify, or delete any data.
  • Access, copy, or attempt to access another user's information.
  • Perform denial-of-service, brute-force, spam, or resource-exhaustion attacks.
  • Use automated scanners or fuzzers that degrade service quality.
  • Attempt social engineering or phishing against Komerza staff or users.

Non-intrusive testing (e.g., observing HTTP headers or response codes) is acceptable; fuzzing and destructive testing are not permitted.

5. Safe Harbour

Komerza will not initiate legal action against researchers who:

  • Act in good faith to report security issues;
  • Avoid privacy violations, service disruption, or data loss; and
  • Provide reasonable time for remediation before public disclosure.

Reports meeting these criteria will be treated as authorised under Lithuanian law and Article 196 of the Criminal Code shall not be invoked against the reporter.

6. Disclosure Policy

Komerza supports coordinated disclosure:

  • Researchers may publicly disclose details of the vulnerability after Komerza confirms remediation or after 90 days, whichever comes first.
  • Early disclosure without coordination may be considered a violation of this policy.

Komerza may publish advisories, fixes, or acknowledgements at its discretion.

7. Rewards

Komerza operates a discretionary bug bounty program.

  • Bounties are awarded based on severity, impact, and quality of the report.
  • Low-impact or duplicate issues may not qualify for a reward.
  • Researchers may optionally request public credit on the Komerza "Hall of Thanks" page.

8. No Warranty of Response or Payment

While Komerza aims to investigate all reports, submission of a vulnerability does not create any contractual or employment relationship. All bounty awards are discretionary and subject to internal review.

9. Policy Updates

Komerza may amend this policy from time to time. Material updates will be published at https://legal.komerza.com/security.

10. Governing Law

This policy shall be governed by the laws of the Republic of Lithuania. Disputes arising from this policy shall be resolved through arbitration under the Vilnius Court of Commercial Arbitration, in Lithuanian, in accordance with Komerza's Terms of Service.

Contact Information

UAB Komerza (reg. code 307395204)

Giedraičių g. 39, R53, LT-09302 Vilnius, Lithuania

Legal inquiries: legal@komerza.com

© 2026 UAB Komerza. All rights reserved.