Found a flaw? Tell us privately.
Good-faith research that follows this policy is authorized — and we won't pursue legal action against researchers who play by the rules below. Here's exactly how to reach us, what we promise back, and what's in scope.
Pre-launch: the formal VDP & bug bounty open before public GA. Until then, please disclose privately as below.
Reporting a vulnerability
Report it privately — never a public issue
One inbox, one subject line, and a short list of things that help us reproduce and fix fast.
Where to send it
Email us directly. Please don't open a public GitHub issue — coordinated disclosure keeps other tenants safe while we ship the fix.
hi@spiraldeck.com
Subject prefix
[security]
A PGP key and /.well-known/security.txt publish once the production domain is live.
What to include
The more of this you can give us, the faster we triage and the sooner the fix lands.
- A clear description of the issue and its real-world impact
- Reproduction steps — the smallest possible example
- The affected endpoint, commit or version
- Your proposed severity (a CVSS v3.1 vector if you have one)
- Whether you'd like public credit when the fix ships
What we promise back
Response targets, by severity
We keep you informed through triage and tell you the moment the fix lands. We ask one thing in return: hold public disclosure until the fix ships and we've agreed a date.
| Severity | Acknowledge | Triage decision | Fix in production |
|---|---|---|---|
Critical RCE, tenant break, full data exfil | < 24 h | < 72 h | < 7 d |
High Auth bypass, IDOR, privilege escalation | < 48 h | < 7 d | < 30 d |
Medium | < 7 d | < 14 d | next minor |
Low / info | < 14 d | best effort | best effort |
These are good-faith targets, not contractual SLAs, while we're pre-GA. Paid bug-bounty rewards arrive with the formal program before public launch.
Safe harbor
Research in good faith is authorized
Stay within the lines below and your testing is authorized under this policy — we will not pursue or support legal action against you, and we'll treat your report as a good-faith contribution.
The rules
- Test only your own tenant and accounts you own
- Never access, modify or exfiltrate another tenant's data
- Run no denial-of-service tests against shared infrastructure
- Use no social engineering against staff or customers
- Give us a reasonable window to fix before you disclose
Scope
What's in, and what's out
Test the surfaces below freely within the safe-harbor rules. The out-of-scope list keeps everyone's time on issues that actually move the needle.
In scope
- Every *.spiraldeck.app web surface
- The API at api.spiraldeck.app
- The desktop work tracker
- Official mobile apps, once published
- Auth & authorization — login, SSO, SCIM, invites
- Multi-tenant isolation — any cross-tenant read, write or list
- The capture pipeline — screenshots, activity events, upload signing
- Billing & subscription endpoints
Out of scope
- Anything needing physical access to an unlocked device
- Self-XSS requiring the victim to paste into devtools
- Missing security headers with no demonstrated exploit
- Automated-scanner output with no proof of exploitability
- Social engineering of employees or customers
- Volumetric denial-of-service
- Issues in third-party services we depend on (report upstream)
Unsure whether something's in scope? Email hi@spiraldeck.com and ask before you test.
See something? Say something — privately.
We'd rather hear it from you than read about it later. Report in good faith and we'll respond fast, fix it, and credit you when it ships.