Our commitment
Mobiscroll takes the security of its products seriously. We welcome reports from security researchers and customers who identify potential vulnerabilities in any Mobiscroll product. We commit to investigating every report in good faith, keeping you informed, and working with you on a coordinated disclosure timeline.
Scope
This policy applies to all Mobiscroll commercial products and services, including:
The Mobiscroll UI component library (Scheduler, Eventcalendar, Datepicker, and all other components)
The Mobiscroll Connect services
This policy does not cover vulnerabilities in third-party libraries, open-source dependencies, or infrastructure we do not manage, unless they directly affect a Mobiscroll product or service.
How to report a vulnerability
Send your report to security@mobiscroll.com.
We treat all incoming reports as confidential. Your details will not be shared with any third party without your explicit consent.
Please include as much of the following as possible:
The affected product or service and the version number (if known)
A clear description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
Any proof-of-concept code, screenshots, or supporting artefacts
Your contact details (name and email) if you would like to receive updates
Incomplete reports are still welcome — we will acknowledge them and may follow up for more information.
What to expect
Step | Timeline |
Acknowledgement of your report | Within 2 business days |
Initial assessment and severity classification | Within 5 business days |
Status update (fix in progress, under investigation, or disputed) | Within 15 business days |
Resolution or coordinated disclosure | Within 90 days of confirmation |
For Critical vulnerabilities with evidence of active exploitation, we aim to release a fix or documented mitigation within 30 days of confirmation.
If we cannot resolve an issue within 90 days, we will contact you to discuss an extension or agree on a disclosure date together. We will not request an indefinite embargo.
Severity classification
We classify vulnerabilities using CVSS (Common Vulnerability Scoring System) scores combined with business impact assessment.
Severity | CVSS score | Examples | Target remediation |
Critical | 9.0 – 10.0 | Data breach, full system compromise, unauthorised access to customer data | 30 days |
High | 7.0 – 8.9 | Significant risk; exploitation possible under specific conditions | 60 days |
Medium | 4.0 – 6.9 | Moderate risk; limited impact or complex exploitation required | 90 days |
Low | 0.1 – 3.9 | Minimal impact; informational findings | Next release cycle |
If you disagree with the classification we assign, you are welcome to request a review. The final decision rests with us, but we will explain our reasoning.
Coordinated disclosure
We ask that you give us a reasonable amount of time to investigate and address a confirmed vulnerability before any public disclosure.
We commit to:
Confirming or disputing the validity of your report within the timelines above
Keeping you informed of progress throughout the remediation process
Working with you to agree a joint or simultaneous disclosure date where appropriate
Crediting your contribution (with your permission) in any public communication
If we cannot resolve the issue within 90 days and you choose to disclose, we will not take legal action provided you acted in good faith throughout the process.
Safe harbor
Security research carried out in good faith and in line with this policy will not be subject to legal action by Mobiscroll (The Acid Media S.R.L.). We will not initiate civil or criminal proceedings against researchers who:
Do not access, modify, copy, or delete data beyond what is necessary to demonstrate the vulnerability
Do not perform or attempt denial-of-service attacks against any Mobiscroll system
Do not exploit a finding for personal financial gain
Report findings to us before any public disclosure
Act in good faith throughout the process
Safe harbor applies only to activity directly related to the security research submitted. It does not cover unrelated violations of law.
Recognition
We value the work of security researchers. With your permission, we will acknowledge your contribution on our security acknowledgements page. You can opt out of public recognition at any time before we publish.
We do not currently offer financial compensation (bug bounty). This may change in the future — we will update this page if it does.