prodia.dev
Start Free
Prodia Systems Ltd

Vulnerability Disclosure Policy

Last updated: 29 May 2026

Prodia Systems Ltd ("Prodia") welcomes coordinated disclosure of security vulnerabilities. This policy is published in accordance with ISO/IEC 29147:2018 and the European Union Agency for Cybersecurity's guidance on coordinated vulnerability disclosure (CVD), and complements the Network and Information Security Directive (NIS2) framework. To submit a report through our secure intake form, see Report a Vulnerability.

1. How to report

  • Email security@prodia.dev with a clear technical description, reproduction steps and any supporting evidence.
  • PGP key fingerprint and security.txt are published at /.well-known/security.txt.
  • Do not include personal data of third parties beyond what is strictly necessary.

2. Scope

In scope

  • prodia.dev, *.prodia.dev and the production Prodia platform.
  • Official Prodia-hosted APIs, SDKs and downloadable clients.

Out of scope

  • Third-party services that Prodia does not operate.
  • Social-engineering, phishing or physical-security testing of Prodia personnel.
  • Denial-of-service testing, volumetric or otherwise.
  • Findings derived solely from automated scanning without demonstrated impact.
  • Theoretical vulnerabilities without a proof of concept.
  • Issues already known to Prodia (we will indicate this in our response).

3. Rules of engagement

  • Act in good faith and within the scope above.
  • Do not access, modify, delete or exfiltrate data that does not belong to you. If you accidentally access customer or personal data, stop, do not retain copies and tell us immediately.
  • Do not disrupt the Service. Use test accounts where possible.
  • Hold disclosure until Prodia has had a reasonable opportunity to remediate, ordinarily 90 days from report.

4. Safe harbour

Prodia will not pursue civil or, where it lies within our control, criminal action against a researcher for activity carried out in good faith and in compliance with this policy. We will use reasonable efforts to make this position known to third parties whose involvement might otherwise be implicated. This safe harbour does not extend to violations of applicable law unrelated to good-faith research.

5. Response process

  • Acknowledgement within 3 business days.
  • Initial triage and severity assessment within 10 business days.
  • Status updates at least every 14 days until resolution.
  • Public credit on request once a fix is deployed.

6. Reward

Prodia does not currently operate a paid bug bounty programme. We acknowledge researchers in a public hall of fame on request and may provide swag or recognition for high-impact reports.

Prodia Systems Ltd
27 Pembroke Street Upper, Dublin 2, D02 X361, Ireland
Contact: legal@prodia.dev