Security and Incident Response

Our Commitment

CSCC takes the security of the platform, the brands that rely on it, and the providers it connects to seriously. We maintain a documented program for receiving, tracking, responding to, and resolving security vulnerabilities, data-privacy incidents, and reports of suspected misuse of Amazon Information. We welcome reports from security researchers, brand operators, connected providers, and members of the public.

How to Report

Submit reports by email to security@creativestrategysystem.com. This inbox is monitored on business days and high-severity reports are triaged on a rolling basis outside of business hours.

Where the report concerns sensitive vulnerability details, please encrypt the message using our PGP key on request. We will provide a current key fingerprint by reply.

What to Include

A report that contains the following information is easiest for us to triage quickly:

• A description of the issue, the type of vulnerability, and the suspected impact.
• The affected endpoint, URL, page, or component.
• Reproduction steps, including any payloads, requests, or screenshots needed to reproduce the behavior.
• The date and time of discovery, along with the time zone.
• Your contact information and, if desired, a name or handle for acknowledgment.

Response Commitments

We will acknowledge receipt of a report and target the following response timelines:

• Acknowledgment: within twenty-four (24) hours of receipt.
• Initial triage: within three (3) business days of acknowledgment, including a severity classification.
• Status updates: at least every seven (7) days while the report is open.
• Critical findings: remediated within seven (7) days, consistent with Amazon’s Data Protection Policy.
• High findings: remediated within thirty (30) days.
• Resolution notice: sent to the reporter when the issue is closed, along with any disclosure timeline.

In Scope

The CSCC vulnerability-disclosure program covers the following properties and systems:

• The CSCC operator dashboard at creativestrategysystem.com and its sub-paths.
• The CSCC backend API at backend.creativestrategysystem.com and its sub-paths.
• The OAuth, callback, and webhook endpoints used by CSCC to connect to third-party providers.
• Source code and configuration that CSCC controls and that processes Customer Data or Amazon Information.

Out of Scope

The following are out of scope for this program. Reports that fall solely within these categories will typically be closed without remediation:

• Denial-of-service attacks, volumetric attacks, and resource-exhaustion testing against production systems.
• Social-engineering attacks against CSCC personnel, brand operators, or providers.
• Physical attacks against CSCC personnel or facilities.
• Missing or weak SPF, DKIM, or DMARC records on non-sending domains.
• Output of automated scanners that has not been validated as exploitable.
• Vulnerabilities in third-party services, libraries, or infrastructure that CSCC does not control, except where CSCC’s configuration is the proximate cause.
• Self-XSS, clickjacking on pages with no sensitive action, and similar low-impact issues.
• Reports requiring physical access to a user’s device, a rooted or jailbroken device, or out-of-date browsers.

Safe Harbor

CSCC will not pursue legal action against security researchers who report vulnerabilities in good faith and consistent with this policy, including by accessing only the data necessary to demonstrate a vulnerability, by avoiding privacy violations and service disruption, by deleting any retrieved data after reporting, and by giving CSCC a reasonable opportunity to remediate before public disclosure. If your research is consistent with this policy and a third party brings legal action against you, CSCC will take reasonable steps to make it known that your activity was authorized.

This safe harbor applies to CSCC’s in-scope systems only. It does not authorize action that violates applicable law or that exceeds the authorizations granted by third-party providers.

Customer-Reported Incidents

Brand operators who suspect a security incident or unauthorized access affecting their CSCC tenant should contact security@creativestrategysystem.com and copy their brand administrator. Where the incident may involve the loss, theft, or misuse of provider credentials, please indicate the affected providers so we can prioritize containment alongside the relevant provider’s security teams.

Suspected Misuse of Amazon Information

CSCC operates a publicly accessible process for the prompt submission, tracking, response, and resolution of data-privacy incidents, security-vulnerability notifications, and suspected misuse of Amazon Information, in accordance with the Amazon Ads Partner Network Policies and the Amazon Selling Partner API Data Protection Policy.

Amazon, an authorizing seller, an authorizing advertiser, or any third party that reasonably suspects misuse of Amazon Information processed by CSCC may report the concern to security@creativestrategysystem.com. CSCC will:

• Acknowledge receipt within twenty-four (24) hours.
• Investigate the report on a priority basis and contain any active misuse.
• Notify Amazon at the Amazon-designated contact within twenty-four (24) hours of confirming a security incident that affects Amazon Information.
• Honor verified deletion requests for affected Amazon Information within thirty (30) days, subject to legal retention obligations.

Incident Management Point of Contact

CSCC maintains a designated Incident Management Point of Contact (IMPOC) who is responsible for receiving, triaging, and coordinating response to reports submitted under this policy. The IMPOC role is held by CSCC’s engineering lead and is contactable at security@creativestrategysystem.com.

Our Internal Process

When CSCC receives a report under this policy, it follows a documented internal process:

• Detect & receive: the report is logged with a unique identifier and assigned to the IMPOC.
• Contain: where the report describes active exploitation or active misuse, CSCC takes immediate containment steps, which may include revoking credentials, rotating secrets, or temporarily disabling affected functionality.
• Investigate: CSCC reproduces the issue, identifies root cause, scope, and affected data, and classifies severity.
• Notify: affected brands are notified without undue delay; Amazon is notified within twenty-four (24) hours of confirming an incident that affects Amazon Information; regulators are notified where legally required.
• Remediate: CSCC deploys the fix within the response timelines above and verifies that the issue is resolved.
• Post-incident review: CSCC conducts a post-incident review to identify follow-up engineering, process, or training work, and tracks it to closure.

Notification Commitments

In the event of a confirmed security incident affecting personal information or Amazon Information processed by CSCC, we will notify affected brands without undue delay, with a target of seventy-two (72) hours from confirmation. We will notify Amazon at the Amazon-designated contact within twenty-four (24) hours of confirming an incident that affects Amazon Information, consistent with Amazon’s Data Protection Policy. Notifications to data subjects and regulators will be made where required by applicable law.

Acknowledgments

CSCC is grateful to researchers, brand operators, and providers who report security issues responsibly. With the reporter’s permission, CSCC will acknowledge contributions in release notes or on this page when an issue is resolved.

Policy Version

This security and incident-response policy is reviewed at least annually and updated as the platform changes. Updates are posted on this page with a revised last-updated date.