繁體中文 English 日本語
中文 EN 日本語

Security Disclosure Policy

Last updated: 2026-06-09

Megapower Asia LLC. (“we”, “our”, or “the company”) takes information security seriously. We welcome external security researchers, customers, and members of the public to help us identify potential vulnerabilities in megapower.asia and the online services we operate. This page explains how to report an issue, what to expect from us, and our stance on good-faith disclosure.

1. How to Report

If you believe you have found a security vulnerability, please send a detailed report to:

security@megapower.asia

Where possible, please include:

  • The URL or system location of the issue
  • Steps to reproduce (including browser, operating system, and any tools used)
  • Potential impact and your initial assessment
  • Screenshots, HTTP requests/responses, or other supporting evidence

We accept PGP-encrypted reports, but it is not required. If you do not have a PGP key, plain-text email is perfectly fine — we will process it the same way. If you would like us to publish a PGP public key, please mention this in your report and we will prioritize it.

2. Expected Response Times

  • General vulnerability reports: we aim to acknowledge receipt within 3 business days
  • Critical vulnerabilities (involving potential customer data exposure, system integrity, or widespread impact): we aim to provide an initial response within 24 hours
  • Remediation timelines depend on severity. We will proactively keep the reporter updated until the issue is resolved.

If you have not received a reply within the timeframe above, please resend your email — it may have been caught by spam filtering.

3. Disclosure Principles (Please Coordinate With Us)

To give us reasonable time to remediate and to protect other users, please coordinate with us before publicly disclosing a vulnerability and follow these principles:

  • Coordinated disclosure: please allow us at least 90 days to remediate before public disclosure. Issues involving third-party vendors may require longer, and we will explain why if that is the case.
  • No destructive testing: do not delete, modify, or otherwise damage any data belonging to us or our customers. Do not perform denial-of-service attacks.
  • No lateral expansion: stop testing as soon as a vulnerability is identified. Do not attempt to access other accounts, other customers’ data, or unrelated systems.
  • No social engineering: do not phish, impersonate, or attempt physical intrusion against our staff, customers, or partners.
  • Scope: this policy covers *.megapower.asia and the SaaS tools and customer-facing systems we directly operate. For issues found inside a customer’s own internal environment, please contact our customer support channel separately.

4. Safe Harbor for Good-Faith Research

For security researchers who test and report under the principles above and act in good faith, we will not pursue legal action, refer the matter to law enforcement, or seek civil damages.

“Good faith” means: acting with the intent of helping us improve our security, without causing data exposure, without abusing the vulnerability, and without publishing unfixed details externally.

5. Acknowledgement and Rewards

Once a reported issue has been fixed, we are happy to publicly acknowledge the researcher who reported it (unless you prefer to remain anonymous). The specific form of acknowledgement can be discussed when you submit your report.

We are a small business and do not currently offer monetary rewards or a formal bug bounty program. If this changes in the future, we will update this page.

For high-quality, reproducible reports we may, at our discretion, offer other forms of appreciation (such as service credits or company gifts).

If you have any questions about this policy itself, you are also welcome to email security@megapower.asia.