Security & Responsible Disclosure
We take security seriously — it's part of what we do for our clients. If you've found a vulnerability in our systems, we want to hear from you.
Report a vulnerability
Email us with details and steps to reproduce. PGP available on request.
goku@umayai.comMachine-readable contact: /.well-known/security.txt
Acknowledgement
We aim to acknowledge your report within 3 business days.
Assessment
We triage, validate, and keep you updated on remediation progress.
Resolution
We fix confirmed issues promptly and credit you if you wish.
In scope
- •umayai.com and its subdomains
- •Our public web application and APIs
- •Authentication, booking, and contact flows
Out of scope
- •Denial-of-service (DoS/DDoS) or volumetric attacks
- •Social engineering of our staff, clients, or vendors
- •Physical attacks against offices or hardware
- •Automated scanner output with no demonstrated impact
- •Best-practice suggestions without a concrete vulnerability
Safe harbour
We will not pursue legal action against researchers who act in good faith and follow this policy. To stay protected, please:
- • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
- • Only access or modify data that belongs to you (use test accounts).
- • Give us reasonable time to remediate before any public disclosure.
- • Do not exfiltrate data, pivot to other systems, or degrade our services.
We don't currently run a paid bug-bounty program, but we're glad to publicly credit researchers who report valid issues.