VoteEdge
African elections
Security contact + safe-harbour

Responsible Disclosure

Version
1.0
Last revised
2026-05-09
Effective
2026-05-09

VoteEdge welcomes responsible disclosure of security vulnerabilities. This policy explains how to report a suspected vulnerability, what is in scope, what is out of scope, and what you can expect from us in response.

1.How to report

Send an email to hello@voteedgeng.com with:

  • a concise summary of the issue;
  • the URL or endpoint affected;
  • step-by-step reproduction instructions or a proof-of-concept;
  • the impact you believe the issue has;
  • any supporting screenshots, request captures, or logs (please redact your own session tokens before sending);
  • your preferred name and contact details, if you would like to be acknowledged after the issue is fixed.

If you wish to encrypt your report, contact us at the email above and we will provide a PGP key.

2.In scope

The following are in scope for this policy:

  • the production marketing website at https://voteedgeng.com;
  • the production application served on the same hostname under authenticated routes;
  • the production API endpoints used by the application.

We are particularly interested in: authentication and authorisation issues; tenant-scoping and cross-project data exposure; election-day result-transmission integrity; server-side request forgery; SQL injection; cross-site scripting that bypasses our content-security policy; rate-limit or abuse vectors that could affect the platform’s availability on election day.

3.What to expect from us

  • We acknowledge receipt of your report within two (2) business days.
  • We provide an initial assessment of the report within five (5) business days.
  • We coordinate with you on disclosure timing, taking into account the severity of the issue, the time required to patch and verify, and any election-day operational considerations that may briefly delay disclosure (announcement of the fix, not the existence of the vulnerability) until after polls close.
  • We credit your work in our acknowledgements list (with your consent), unless you prefer to remain anonymous.

4.Out of scope

The following are out of scope for this policy:

  • third-party services not operated by VoteEdge (e.g. SaaS sub-processors), unless the issue is exploitable through our deployment configuration;
  • social engineering of VoteEdge personnel, customers, or field agents;
  • physical security testing of any premises;
  • denial-of-service testing, including any volumetric or stress test against production infrastructure;
  • vulnerabilities in third-party libraries that are not exploitable in our deployment;
  • configuration of cookies, security headers, TLS versions, or similar best-practice items where our configuration is reasonable for the threat model and no specific exploit is demonstrated;
  • self-XSS that requires the victim to paste attacker-supplied content into their own browser console;
  • missing best-practice headers without an exploit (CSP, HSTS, etc.);
  • findings derived from automated scanners without a verified, exploitable proof-of-concept.

5.Safe harbour

We commit not to pursue legal action against you for good-faith security research carried out in accordance with this policy. Specifically, where you:

  • act in good faith to investigate and report a vulnerability through the channel in clause 1;
  • limit your testing to in-scope assets (clause 2);
  • do not access, modify, retain, or destroy data beyond the minimum necessary to demonstrate the issue;
  • do not exploit the vulnerability for any purpose other than this report;
  • do not publish the vulnerability before we have had a reasonable opportunity to fix it (or coordinate with us on disclosure timing);
  • respect the privacy of users you may incidentally observe;

we will not initiate legal proceedings against you, nor will we authorise any third party to do so on our behalf.

Important limitations: the safe harbour above does not bind any third party (including regulators, prosecutors, or third parties whose data may have been accessed). It also does not authorise activity that is independently unlawful under the cybercrime statute of your jurisdiction — including the (NG · Cybercrimes (Prohibition, Prevention, etc.) Act 2015), the (KE · Computer Misuse and Cybercrimes Act 2018), the (ZA · Cybercrimes Act 2020 (Act 19 of 2020)), the (GH · Electronic Transactions Act 2008 (Act 772)), and the relevant Rwandan cybercrime statute. If your activity could constitute an offence under any of those statutes, we recommend you obtain legal advice before proceeding, and we may be unable to commit on behalf of any regulator or prosecutor.

6.Acknowledgements

We acknowledge contributors who submit valid reports through this policy on request. Please indicate in your report whether you would like to be credited and how (name, handle, or anonymous).

7.Monetary bounty

We do not currently operate a paid bug-bounty programme. Where a particularly impactful issue is reported, we may at our discretion offer an ex-gratia reward; this is not a contractual commitment and is offered without precedent.