Vulnerability Disclosure
Security researchers are welcome to report vulnerabilities responsibly. Review the safe harbor expectations and testing limits first.
Safe Harbor Policy
Specteron supports good-faith security research. If you follow these guidelines and avoid customer harm, we will treat your activity as authorized research.
We do not want responsible disclosure to create unnecessary legal risk for researchers who act carefully and report issues promptly.
Rules of Engagement
Research must stay within a narrow set of safety boundaries to protect customers and platform stability.
- No Data Exfiltration: Do not download customer data. If exposure occurs accidentally, stop immediately and report the issue.
- No Service Disruption: Do not perform denial-of-service testing, abusive fuzzing, or physical security attacks.
- Authorized Test Scope: Only test accounts you own or are explicitly allowed to assess. Do not target third-party customer tenants.
How to Report
Send a concise summary, reproduction steps, and any proof-of-concept material needed for triage.
Please encrypt sensitive submissions with the key referenced in `/.well-known/security.txt` when appropriate.
Response Targets
Specteron aims to acknowledge, triage, and resolve legitimate reports with clear expectations for the reporting party.
- Acknowledgement: Within 48 business hours.
- Triage: Within 5 business days with initial severity and validity review.
- Resolution: Depends on severity and complexity, with critical findings escalated immediately.