What this covers
Responsible Disclosure: clear expectations for safe operation.
Plain-language policy content for customers, users, partners and researchers.
01Reporting security issues
- Report suspected vulnerabilities in ThreatCanary systems, websites or services through the published security contact channel.
- Include a clear description, affected endpoint or asset, reproduction steps, impact and any supporting evidence.
- Avoid including unnecessary personal data, secrets or customer information in the initial report.
02Research expectations
- Test only against ThreatCanary-owned systems or explicitly authorised scope.
- Do not access, modify, delete, disclose or exfiltrate data that is not yours.
- Do not perform denial-of-service, social engineering, physical attacks or actions that could harm customers or third parties.
03How ThreatCanary responds
- We aim to acknowledge credible reports, triage impact and communicate remediation progress where appropriate.
- Reports are prioritised based on severity, exploitability, affected systems and potential customer impact.
- Public disclosure should wait until remediation and coordination have been completed.
04Safe harbour intent
- ThreatCanary supports good-faith security research conducted safely and within scope.
- Researchers should stop immediately and contact ThreatCanary if they encounter customer data or out-of-scope systems.
- This page is not a bug bounty promise unless a separate program explicitly says so.
