1. Introduction and Scope

ligaro.io is the Ligaro product landing site, operated by Skillful Sardine - Unipessoal Lda. This policy covers the website and the public APIs served from this domain. The Ligaro CLI, desktop app, and REST API are separate products โ€” their security policies are referenced from their own /.well-known/security.txt files where applicable.

This document is the target of the Policy field in our RFC 9116 /.well-known/security.txt file.

2. How to Report a Vulnerability

Send reports by email to security@skillfulsardine.com. Please include:

  • A clear description of the vulnerability
  • Steps to reproduce, including any required payloads or proof-of-concept code
  • The affected URL, endpoint, or component
  • Potential impact
  • Your contact details so we can coordinate disclosure

Please do not file reports in public issue trackers, social media, or other public channels before we have had a chance to respond.

3. In-Scope

  • ligaro.io (landing page, waitlist subscription, legal pages)
  • Public APIs served from the ligaro.io hostname
  • Authentication, session, and CSRF handling on the site
  • Server-side injection (SQL, command, template, etc.)
  • Stored or reflected cross-site scripting (XSS)
  • Insecure direct object references and authorisation flaws
  • Sensitive data exposure on the site

4. Out-of-Scope

  • Denial-of-service attacks, rate-limit bypasses that require sustained traffic, or any test that would degrade the service for other users
  • Social engineering of Skillful Sardine staff, contractors, or waitlist subscribers
  • Physical attacks against offices or personnel
  • Attacks against third-party services we integrate with
  • Findings in the Ligaro CLI, desktop app, or REST API product โ€” report those to their respective channels once published
  • Missing "defence-in-depth" headers without a demonstrated exploitation path
  • Automated scanner output without manual validation
  • Publicly known CVEs in dependencies that have no working exploit against our deployment

5. Researcher Guidelines

  • Make a good-faith effort to avoid privacy violations, data destruction, and service interruption during testing
  • Stop testing as soon as you have enough information to report the finding
  • Do not access, modify, or retain data that does not belong to you
  • Give us a reasonable amount of time to remediate before disclosing publicly (see ยง6)
  • Do not attempt to pivot to other systems once a vulnerability is confirmed

6. Response Timeline

  • Acknowledgment: within 72 hours of receipt
  • Initial assessment: within 7 days
  • Status updates: at least every 14 days until the report is closed
  • Coordinated disclosure: we aim to remediate within 90 days of triage

7. Safe Harbor

When you follow this policy, we consider your research to be authorised conduct under relevant computer-crime statutes. We will not pursue legal action against researchers who act in good faith and within the guidelines above. We cannot waive claims held by third parties.

8. Rewards and Recognition

We do not operate a monetary bug bounty. With your permission, we are happy to credit validated reports on our Security Acknowledgments page.

9. Contact

Security reports: security@skillfulsardine.com
General legal enquiries: legal@skillfulsardine.com