Responsible Disclosure Policy

Responsible Disclosure Policy — Vulnerability Reporting

Threatstealth operates a coordinated vulnerability disclosure programme. Report security vulnerabilities and receive 72-hour acknowledgement, a 90-day coordinated disclosure timeline, and public attribution upon fix.

• In scope — web application, API, authentication, and platform vulnerabilities within Threatstealth
• Out of scope — social engineering, physical attacks, and third-party services not controlled by Threatstealth
• Reporting — send findings to security@threatstealth.com with proof-of-concept and impact assessment
• 72-hour acknowledgement — all in-scope reports acknowledged within 72 hours of receipt
• 90-day coordinated disclosure — fixes deployed within 90 days; public disclosure coordinated with reporter
• Safe harbour — Threatstealth will not pursue legal action against good-faith researchers following this policy

Programme Scope: What Vulnerabilities Are Covered

The Threatstealth coordinated vulnerability disclosure programme covers security vulnerabilities affecting the Threatstealth web application, REST APIs, authentication and authorisation systems, platform infrastructure under direct Threatstealth control, and client-facing security dashboards. In-scope vulnerability classes include injection vulnerabilities (SQL, command, LDAP, XPath), authentication weaknesses (broken authentication, session management flaws, MFA bypass), authorisation failures (broken object level authorisation, excessive data exposure), and server-side vulnerabilities (SSRF, XXE, deserialization). The programme values finding quality over quantity — a single high-impact authentication bypass report is significantly more valuable than ten low-impact informational findings.

• Web application vulnerabilities — OWASP Top 10 categories including injection, XSS, CSRF, and authentication flaws
• API security vulnerabilities — OWASP API Security Top 10 including BOLA, excessive data exposure, and SSRF
• Authentication and MFA bypass — weaknesses in login flows, session management, and multi-factor authentication
• Authorisation failures — privilege escalation, tenant isolation bypasses, and insecure direct object references
• Infrastructure vulnerabilities — server-side vulnerabilities in Threatstealth-controlled infrastructure and deployments

How to Submit a Vulnerability Report

To submit a vulnerability report, send an email to security@threatstealth.com with a clear description of the vulnerability, the steps required to reproduce it, the impact you assess it to have, and any proof-of-concept code or screenshots that demonstrate the vulnerability. Reports should be encrypted using the Threatstealth PGP public key available on this page for sensitive findings. Please include your preferred contact method for follow-up communications and whether you wish to be credited in the public disclosure. The quality of your report significantly affects how quickly the team can validate and remediate the finding — clear reproduction steps and well-reasoned impact assessments accelerate the response process.

• Email submission — send reports to security@threatstealth.com with full reproduction steps and impact assessment
• PGP encryption — encrypt sensitive reports using the Threatstealth security team PGP public key
• Required information — vulnerability description, reproduction steps, proof-of-concept, and estimated impact severity
• Attribution preferences — indicate whether you wish to be publicly credited in the security advisory upon disclosure
• Responsible testing — limit testing to your own accounts and avoid accessing or modifying other users' data

Response Timeline and Coordinated Disclosure Process

The Threatstealth security team commits to acknowledging all in-scope vulnerability reports within 72 hours of receipt and providing an initial severity assessment within 7 business days. The remediation timeline depends on vulnerability severity: Critical findings are targeted for remediation within 14 days, High severity within 30 days, and Medium severity within 90 days. The coordinated disclosure window is 90 days from acknowledgement — during this period, the reporter is asked to refrain from public disclosure while remediation is completed. Upon deploying a fix, Threatstealth coordinates the timing and content of public disclosure with the reporter and publishes a security advisory crediting the researcher.

• 72-hour acknowledgement — confirmation of receipt and initial in/out-of-scope assessment within 72 hours
• 7-day severity assessment — initial CVSS severity rating and remediation priority communicated within 7 business days
• Critical remediation target — Critical severity findings targeted for fix deployment within 14 days of confirmation
• 90-day disclosure window — coordinated disclosure standard allowing 90 days for remediation before public release
• Security advisory publication — public advisory crediting the researcher published upon fix deployment

Safe Harbour: Legal Protections for Good-Faith Researchers

Threatstealth will not pursue civil or criminal legal action against security researchers who discover and report vulnerabilities in good faith following the guidelines in this policy. Good-faith research includes discovering vulnerabilities through testing on your own accounts, through techniques that do not exceed what is necessary to demonstrate the vulnerability, and through methods that avoid accessing, modifying, or exfiltrating data belonging to other users. Research that intentionally disrupts service availability, deliberately accesses data beyond the minimum necessary to demonstrate the vulnerability, or attempts to exploit vulnerabilities for personal gain is explicitly outside the safe harbour protections. We encourage researchers to contact us if they are uncertain whether a planned testing technique falls within the safe harbour.

• No legal action commitment — Threatstealth will not pursue action against good-faith researchers following this policy
• Good-faith definition — testing limited to own accounts, minimum necessary data access, and no service disruption
• Scope for safe harbour — protection applies to in-scope systems using non-disruptive testing techniques
• Contact for uncertainty — researchers uncertain about testing scope are encouraged to ask before testing
• Policy as legal document — this policy constitutes an authorised vulnerability testing permission within its defined scope