Skip to main content

AutoSAM

FeaturesPricingSecurityBlog(Soon)ContactGet started

Responsible Disclosure Policy

We welcome security researchers who help keep AutoSAM and our users safe.

1. Scope

In-scope:

• The AutoSAM web application at autosam.io and *.autosam.io

• AutoSAM API endpoints

• Authentication and authorization mechanisms

• Data exposure or leakage vulnerabilities

• Cross-site scripting (XSS), SQL injection, CSRF

• Server-side request forgery (SSRF)

• Business logic flaws affecting data integrity or access control

Out-of-scope:

• Third-party services not operated by GovCertix LLC

• Social engineering or phishing attacks against employees or users

• Denial-of-service (DoS/DDoS) attacks

• Physical security testing

• Automated vulnerability scanning that generates excessive traffic

• Findings from applications or services not listed in-scope

2. How to Report

Please send vulnerability reports to security@autosam.io. For sensitive disclosures, you may encrypt your message using our PGP public key:

PGP Fingerprint: [To be published — contact security@autosam.io to request]

In your report, please include:

• A detailed description of the vulnerability

• Steps to reproduce (including URLs, parameters, payloads)

• The potential impact of the vulnerability

• Any proof-of-concept code or screenshots

• Your contact information for follow-up

3. What to Expect

After you submit a report, here is what you can expect from our team:

• Acknowledgment — We will confirm receipt of your report within 48 hours

• Status updates — We will provide updates on the status of your report at least every 7 days until resolution

• Coordinated disclosure — We follow a 90-day coordinated disclosure timeline. We ask that you do not publicly disclose the vulnerability until we have had 90 days to investigate and remediate, or until we confirm the issue is resolved, whichever comes first

• Credit — With your permission, we will publicly credit you for the discovery on our security acknowledgments page

4. Safe Harbor

GovCertix LLC considers security research conducted consistent with this policy to be authorized and will not pursue legal action against researchers who:

• Act in good faith to avoid privacy violations, data destruction, and disruption to our services

• Only interact with accounts they own or have explicit written permission to test

• Do not exploit a vulnerability beyond what is necessary to confirm it exists

• Report the vulnerability promptly and do not disclose it publicly before resolution

• Comply with all applicable laws

If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were authorized under this safe harbor provision.

5. Out-of-Scope Activities

The following activities are strictly prohibited and are not covered under this policy:

• Accessing, modifying, or deleting data belonging to other users

• Executing or attempting denial-of-service attacks

• Sending unsolicited messages or social engineering attacks

• Testing third-party services, applications, or websites not owned by GovCertix LLC

• Any activity that violates applicable local, state, or federal law

6. Contact

For all security-related inquiries, contact:

GovCertix LLC
2461 Eisenhower Ave, Suite 200
Alexandria, VA 22314
security@autosam.io

Last updated: March 21, 2026.

AutoSAM

SAM.gov Compliance Intelligence

Product

FeaturesPricingSecuritySolutionsCompareTrust CenterBlogChangelogStatus

Legal

LegalTermsPrivacyCookiesDo Not SellAcceptable UseRefund PolicySubprocessorsSLAResponsible DisclosureDMCAEnterpriseAccessibility

508-Compliant

256-bit Encryption

99.9% Uptime

Security-First Design

\u00a9 2026 GovCertix LLC. All rights reserved.

AutoSAM is a software tool — not a CMMC C3PAO, RPO, law firm, CPA firm, or contracting agency. Outputs are informational; you remain the gatekeeper. Read our Terms, Privacy Policy, and AUP.

TermsPrivacy PolicyAUPCookie PolicyTrust Center

Legal docs v1.0.0; last reviewed 2026-05-13.

AutoSAM is not affiliated with, endorsed by, or operated by SAM.gov, the System for Award Management, the General Services Administration (GSA), or the United States government.