SuperYears - Responsible Disclosure & Security Policy

Version: Draft v2026-1

Effective date: 01 March 2026

Applies to: the public SuperYears website and public calculators/tools, and the subscription app/service (together, the Services).

Contact (security): security@superyears.com.au

Contact (legal): legal@superyears.com.au

Plain‑English explainer (read this first)

If you find a security issue, we want to hear about it. This policy explains how to report vulnerabilities safely, what testing is allowed, and how we’ll work with you to fix issues. Please don’t put users or data at risk while investigating.

What’s inside

  • S-1 Scope and purpose

  • S-2 How to report a vulnerability

  • S-3 Good-faith safe harbour

  • S-4 Rules of engagement (what’s allowed / not allowed)

  • S-5 Our commitments and response process

  • S-6 Public disclosure and coordination

  • S-7 Legal, privacy and data handling

  • S-8 Changes and contact

S-1. Scope and purpose

This policy covers security vulnerabilities in the Services, including our website, calculators/tools, and subscription app/service. It is intended for security researchers, customers, and anyone who discovers a potential vulnerability.

Out of scope: issues in third‑party products or services we do not control (for example, your device, browser extensions, payment providers, or other external platforms). If the issue appears to sit with a third party, we may suggest you report it to them as well.

This policy sits alongside our Website Terms, Subscriber/App Terms, Acceptable Use Policy (AUP), Privacy Policy, Cookie Policy, Accessibility & Data‑Use Statement, and Complaints & Dispute Resolution Policy. If there is a conflict, the most specific document to the subject matter prevails.

S-2. How to report a vulnerability

Please email security@superyears.com.au with:

  • A clear description of the issue and why you believe it’s a vulnerability

  • Steps to reproduce (or a proof-of-concept) that minimises risk to users and data

  • Affected URLs, endpoints, app version, device/OS/browser, and timestamps (if relevant)

  • Any indicators of impact (e.g., what data could be accessed) without extracting real user data

  • Your preferred contact details and any public attribution name (optional)

If you’re unsure whether something is a vulnerability, send what you have — we’d rather receive a cautious report than miss an issue.

If you believe there is active exploitation or an immediate risk to users, please flag your email as “URGENT” and include any time‑critical details. If you need a more secure channel for sensitive technical information, tell us and we’ll organise one.

S-3. Good-faith safe harbour

We support good-faith security research. If you follow this policy, we will treat your activity as authorised and will not pursue legal action against you for the research itself. This does not apply to:

  • Actions that cause harm, service disruption, or data loss

  • Accessing, modifying, or exfiltrating data that isn’t yours

  • Extortion demands, ransom notes, or threats

  • Social engineering (e.g., phishing staff/users) or physical attacks

  • Testing that violates applicable law

If your research accidentally exposes data, stop immediately, do not save or share it, and notify us right away.

S-4. Rules of engagement (what’s allowed / not allowed)

Allowed (with care):

  • Testing on your own accounts and data

  • Non-destructive testing that does not degrade service availability

  • Limited-rate requests that respect stability and privacy

  • Reporting vulnerabilities privately and giving us a reasonable chance to fix them before public disclosure

Not allowed:

  • Denial-of-service (DoS/DDoS), stress testing, or load testing

  • Automated scanning at scale, credential stuffing, or brute force attempts

  • Attempting to access other users’ accounts, data, or content

  • Changing or deleting data, or performing actions that would impact real users

  • Introducing malware, backdoors, or persistence mechanisms

  • Using the vulnerability to gain financial benefit or competitive advantage

  • Publishing details before coordinated disclosure (see S-6)

S-5. Our commitments and response process

When we receive a report, we aim to:

  • Acknowledge receipt within 2 business days

  • Triage and assign a severity level

  • Keep you informed of progress, where reasonable

  • Work to remediate confirmed vulnerabilities as a priority

  • Credit you publicly (optional) for valid reports, unless you prefer anonymity

Timelines vary depending on complexity, testing needs, and deployment cycles. For critical issues, we will aim to accelerate remediation and may apply temporary mitigations (e.g., feature flags, rate limits) while a permanent fix is developed.

We do not currently operate a paid bug bounty program or guarantee payment for reports, unless we’ve agreed otherwise in writing.

S-6. Public disclosure and coordination

We ask that you keep vulnerability details confidential until we have addressed the issue or agreed on a disclosure plan.

Unless we agree otherwise, we aim for coordinated disclosure within 90 days of initial report for confirmed vulnerabilities. For critical issues, we may request (and you agree to) a shorter or longer window based on real-world risk.

If you plan to publish, please notify us at least 7 days beforehand so we can confirm remediation status and advise on safe wording.

S-7. Legal, privacy and data handling

Please avoid sending sensitive personal information (e.g., TFNs, full card numbers) in your report. If logs, screenshots, or captures may include personal information, redact where possible.

We handle report information under our Privacy Policy. We may share details internally and with relevant service providers (e.g., hosting/security vendors) only as needed to investigate and remediate.

If a vulnerability results in a data breach likely to cause serious harm, we will follow Australia’s Notifiable Data Breaches scheme and notify affected individuals and the OAIC as required.

S-8. Changes and contact

We may update this policy from time to time. The Effective date at the top will change and we will keep an archive of prior versions.

Security reports: security@superyears.com.au

Legal: legal@superyears.com.au

Linked policies

Acceptable Use Policy (AUP): https://superyears.com.au/acceptable-use

Privacy Policy: https://superyears.com.au/privacy

Cookie Policy: https://superyears.com.au/cookies

Website Terms & Conditions: https://superyears.com.au/terms

Subscriber/App Terms: https://superyears.com.au/app-terms

Accessibility & Data‑Use Statement: https://superyears.com.au/accessibility

Complaints & Dispute Resolution Policy: https://superyears.com.au/complaints

Important notice

Information on the Services is general in nature and does not constitute personal financial advice.