SemlyPro · Version 1.0 · Effective date: 13 July 2026
Who makes this commitment. This Vulnerability Disclosure Policy is issued by Semly Pro, a sole proprietorship (eenmanszaak) established in the Netherlands, registered with the KvK (Dutch Chamber of Commerce) under number 99448351, VAT ID NL005387029B31, with registered address Hawaiiweg 41, 1339 NW Almere, Netherlands (trading as “SemlyPro”, “we”, “us”, “our”). The safe-harbour undertaking in clause 5 is a unilateral commitment given by this legal person. SemlyPro is currently operated by its sole proprietor, Surya Pillai. SemlyPro intends to incorporate a private limited company (Semly Pro B.V.); upon incorporation, SemlyPro will re-issue and re-version this Policy so that the safe-harbour undertaking runs from the operating entity, and references to “SemlyPro” will be read as references to Semly Pro B.V.
1. Our commitment
SemlyPro values the security research community. We appreciate security researchers who help us keep SemlyPro and its customers safe by reporting vulnerabilities they find. This Vulnerability Disclosure Policy (“VDP”) explains how to report a vulnerability, what to expect from us, and the boundaries within which we will not pursue legal action against good-faith researchers.
We follow the Coordinated Vulnerability Disclosure (“CVD”) approach set out in the NCSC-NL guideline “Coordinated Vulnerability Disclosure: the Guideline” (2019), and we coordinate where appropriate with recognised bodies such as NCSC-NL and the Dutch Institute for Vulnerability Disclosure (DIVD). This VDP is not a bug-bounty programme (see clause 7).
2. Scope
2.1. In scope
- The SemlyPro web application at semlypro.com, semlypro.nl, and app.semlypro.com.
- SemlyPro-operated APIs, including our REST API, any GraphQL endpoints, and webhook endpoints.
- The SemlyPro MCP (Model Context Protocol) server, for read-only testing on the researcher’s own account only (see the Rules of engagement in clause 2.3).
- SemlyPro browser extensions and plugins.
- Vulnerabilities in SemlyPro-authored software, including client SDKs.
2.2. Out of scope
- Third-party services (CMS platforms, AI providers, analytics/advertising providers, payment processors) integrated with the Service. Report those to their operators directly.
- Denial-of-service or resource-exhaustion attacks.
- Social-engineering of SemlyPro personnel or contractors.
- Physical attacks on SemlyPro property.
- Vulnerabilities requiring physical access to a user’s device.
- Missing best-practice headers or configurations without a demonstrable security impact.
- Attacks on infrastructure that we do not own or control.
- Content injection where the researcher acts as both attacker and victim.
2.3. Rules of engagement (mandatory)
To keep your testing within the safe harbour and to protect our customers, you must observe all of the following. Conduct outside these rules is not authorised and falls outside the safe harbour in clause 5:
- Use only your own test accounts and your own test data. Create a dedicated test account where possible.
- Never access, enumerate, or pivot into any other customer’s tenant, account, Customer Materials, publishing credentials, or OAuth tokens. SemlyPro is a multi-tenant platform; cross-tenant access is strictly prohibited.
- Never read, query, or exfiltrate data from connected third-party integrations for which SemlyPro holds access tokens on a customer’s behalf — including, without limitation, Google Ads, Google Analytics 4 (GA4), Google Search Console (GSC), and any connected content management system (for example WordPress, Webflow, Shopify, Ghost, or Sanity). Much of this data is business data and may also contain personal data; it belongs to our customers, not to SemlyPro or to you.
- Never access or exfiltrate customer-uploaded files (for example Excel/CSV uploads) or other Customer Materials belonging to anyone other than you.
- Never perform state-changing, write, publish, update, or delete operations against production or real data — including via the MCP server, the API, webhooks, browser extensions/plugins, or SDKs. Proof-of-concept must stop at a read-only demonstration on your own account. If a vulnerability can only be shown by a state-changing action, describe it and contact us before proceeding; do not execute it against live data.
- Do not use automated scanners at rates that could reasonably be expected to cause disruption (see also clause 5).
If you are unsure whether an action is permitted, stop and ask us at anil@semlypro.com before proceeding.
3. How to report
Send your report to anil@semlypro.com, preferably encrypted with our PGP key available at semlypro.com/.well-known/pgp-key.asc. A machine-readable pointer to this policy and the security contact is published at semlypro.com/.well-known/security.txt (RFC 9116). If you cannot retrieve the PGP key, request it from anil@semlypro.com.
Please include:
- a description of the vulnerability;
- steps to reproduce, ideally with proof-of-concept code or screenshots (observing the Rules of engagement in clause 2.3);
- the potential impact;
- your name and preferred contact method (or anonymous, if you prefer).
We accept reports in English or Dutch.
How we handle your personal data. A report may contain your personal data (for example your name and contact details). We process that personal data only to triage, investigate, and resolve the reported vulnerability, to communicate with you, and to credit you if you wish. Our legal basis, retention periods, and your rights (including access, correction, and erasure) are set out in our Privacy Policy at semlypro.com/privacy. You may report anonymously; if you do, we may be unable to keep you informed or credit you. For data principals in India, the notice and grievance-redressal information required under the Digital Personal Data Protection Act, 2023 is set out in the Privacy Policy and the India Privacy & Grievance Addendum (grievance contact: anil@semlypro.com).
4. What to expect from us
- We will acknowledge receipt of your report within two (2) business days.
- We will provide an initial assessment within ten (10) business days.
- We will keep you informed of progress at reasonable intervals.
- Where possible we will credit you in our security advisories, at your option.
- We do not currently pay financial rewards for vulnerability reports. This may change in future (see clauses 7 and 8).
For the purposes of this VDP, “business days” means days other than Saturdays, Sundays, and public holidays in the Netherlands, which is SemlyPro’s principal place of business.
5. Safe-harbour terms
If you research and report a vulnerability in good faith and in accordance with this VDP (including the Rules of engagement in clause 2.3), SemlyPro will:
- consider your activity to be authorised, and will not initiate legal action against you for that activity;
- work with you to understand and resolve the issue quickly; and
- to the extent lawfully possible, confirm to any third party or authority that pursues you for that in-scope, good-faith activity that the activity was authorised by SemlyPro.
You must, in return:
- use only your own test accounts and test data, and comply with the Rules of engagement in clause 2.3 at all times;
- not access, modify, delete, or exfiltrate any personal data beyond what is minimally necessary to demonstrate the vulnerability;
- immediately stop testing if you encounter any personal data other than your own test data, delete any such data you have obtained, and confirm to us in writing that you have deleted it and retained no copies (including screenshots, logs, or exports);
- report inadvertent access to others’ data immediately, with enough detail for us to assess it. Inadvertent access to personal data may constitute a personal-data breach that SemlyPro must assess under Articles 33–34 GDPR / UK GDPR (and, where applicable, the breach-notification duties under India’s Digital Personal Data Protection Act, 2023, including notification to the Data Protection Board of India), which can require notification within 72 hours — prompt, detailed reporting by you is important;
- not degrade or disrupt the Service, including by running automated scanners at rates that could reasonably be expected to cause disruption;
- not publicly disclose the vulnerability until we have had a reasonable time to fix it (see clause 6);
- comply with applicable law throughout.
What this safe harbour is, and is not.
- The safe harbour is a unilateral undertaking by SemlyPro only. It is limited to legal claims that SemlyPro itself is entitled to bring, and it does not bind our customers, affected data subjects/data principals, other third parties, or any public authority (including the Dutch Public Prosecution Service — Openbaar Ministerie). It authorises nothing that is unlawful, and SemlyPro cannot and does not waive criminal liability.
- The safe harbour applies only to activity that complies with this VDP. It does not cover conduct that exceeds the Rules of engagement or is otherwise unlawful — including, under Dutch law, offences under the Wetboek van Strafrecht (Dutch Criminal Code), in particular Article 138ab (computervredebreuk / unauthorised access to a computer system), and related provisions such as Articles 138c, 139g, and 350a–350b (as amended by, among others, the Wet computercriminaliteit III, in force 2019).
- The safe harbour operates only to the extent permitted by applicable law and does not authorise conduct that is unlawful in your own jurisdiction. Researchers remain bound by their local laws — for example the UK Computer Misuse Act 1990, India’s Information Technology Act, 2000 (including sections 43 and 66) and Digital Personal Data Protection Act, 2023, and, for US-based researchers, the Computer Fraud and Abuse Act (18 U.S.C. § 1030). Please ensure your testing is lawful where you are located.
6. Coordinated disclosure
We prefer coordinated disclosure. Give us a reasonable period to fix the issue before public disclosure. Reasonable is:
- ninety (90) days from your initial report; or
- earlier if a fix is deployed and users are protected; or
- longer, on request, if the fix requires substantial engineering.
If we cannot agree, we will discuss timelines in good faith.
Internally, SemlyPro triages reports under this VDP against its security incident-response process and applicable regulatory reporting deadlines. Depending on the nature of the vulnerability, these may include obligations under the EU Cyber Resilience Act (Regulation (EU) 2024/2847) — whose vulnerability- and incident-reporting duties, via ENISA’s Single Reporting Platform, apply from 11 September 2026 on a 24-hour early-warning / 72-hour / 14-day cadence, with full application from 11 December 2027 — and the NIS2 Directive (Directive (EU) 2022/2555). Whether, and to what extent, these apply to SemlyPro’s services is subject to confirmation with counsel.
7. Eligibility and exclusions
- You must be of legal age (18 or over) to participate, or have the consent of a parent or legal guardian.
- Current SemlyPro personnel and contractors, and anyone who has been SemlyPro personnel or a contractor within the preceding twelve (12) months, are not eligible and are excluded from this safe harbour. SemlyPro personnel and authorised contractors may access Customer Materials only through internal, least-privilege, access-logged channels as described in our Terms of Service, Privacy Policy, and Data Processing Agreement — not under this VDP.
- You must not be located in, or a resident of, a jurisdiction subject to comprehensive EU, UN, or other applicable sanctions, and you must not be a person or entity on an applicable sanctions list (including EU and OFAC lists).
- If SemlyPro introduces any monetary reward in future, it may verify your identity and screen you against applicable sanctions lists before making any payment, and may withhold payment where doing so would be unlawful.
8. Legal
- Nothing in this VDP creates an employment or agency relationship between you and SemlyPro.
- This VDP is not a bug-bounty programme and does not obligate SemlyPro to make any payment.
- This VDP is provided “as is” and creates no rights, warranties, or entitlements beyond the safe-harbour undertaking expressly stated in clause 5.
- SemlyPro may amend this VDP from time to time. Any amendment is prospective: the version of the VDP in force at the start of your good-faith activity governs that activity, and no amendment retroactively withdraws safe-harbour protection for good-faith research validly begun under a prior version. A visible version identifier is provided so you can point to the version you relied on.
- Governing law. This VDP and the safe-harbour undertaking in clause 5 are governed by the laws of the Netherlands. Any dispute regarding this VDP is subject to the competent courts of Amsterdam, the Netherlands — without prejudice to any mandatory consumer or local-law protections a researcher may enjoy in their own jurisdiction.
- Entity and succession. The legal person bound by this VDP is Semly Pro (eenmanszaak, KvK 99448351, Hawaiiweg 41, 1339 NW Almere, Netherlands). Upon incorporation of Semly Pro B.V., SemlyPro will re-issue this VDP so that the safe-harbour undertaking runs from the operating entity.
9. Contact
- Vulnerability reports: anil@semlypro.com (PGP:
semlypro.com/.well-known/pgp-key.asc) - Machine-readable pointer:
semlypro.com/.well-known/security.txt(RFC 9116) - Privacy questions about your report: anil@semlypro.com · Privacy Policy: semlypro.com/privacy
- India grievance contact: anil@semlypro.com
Last updated 13 July 2026 · Operated by Semly Pro (eenmanszaak), KvK 99448351, Hawaiiweg 41, 1339 NW Almere, Netherlands · Questions about this document: anil@semlypro.com