Vulnerability Disclosure

Reporting a Vulnerability

If you believe you have found a security vulnerability in Call Milly, please report it to us at security@callmilly.com. Please include:

• A description of the vulnerability and its potential impact.
• Steps to reproduce the issue, including any relevant URLs, parameters, or payloads.
• Your contact information so we can follow up.
• Any supporting evidence such as screenshots or proof-of-concept code.

What We Ask

• Give us reasonable time to investigate and address the vulnerability before disclosing it publicly (we ask for at least 90 days).
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or disrupt our services.
• Do not use automated scanning tools in a way that degrades our service.
• Act in good faith and comply with applicable laws.

Our Commitment

• We will acknowledge your report within 2 working days.
• We will provide an initial assessment within 5 working days.
• We will keep you informed of our progress and notify you when the issue is resolved.
• We will not take legal action against researchers who follow this policy.
• We will credit you (if you wish) when we disclose the fix.

Scope

This policy covers the Call Milly web application, API, and associated infrastructure. Third-party services we use (such as hosting providers) are not in scope — please report vulnerabilities in those services directly to the respective vendors.