ThreatSpire logoThreatSpire

Legal · Disclosure

Responsible Disclosure Policy

Effective date: May 27, 2026  ·  Last updated: May 27, 2026

Plain-language summary

We welcome reports of security vulnerabilities and commit to working with researchers in good faith. If you follow this policy, we will not pursue legal action against you. Report findings to security@threatspire.com and give us reasonable time to fix the issue before disclosing it publicly.

1. Our commitment

ThreatSpire takes security seriously. We believe that working with skilled security researchers across the globe is an important part of protecting our customers and the broader internet community. We are committed to investigating reports promptly and transparently, and to treating good-faith researchers with respect.

This policy describes how we would like you to report vulnerabilities, what you can expect from us, and the boundaries we ask you to respect. It applies to anyone who reports a vulnerability to us in good faith.

2. How to report a vulnerability

Send your report by email to security@threatspire.com. Please include the following information:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce the issue, including any scripts, screenshots, or videos that help us understand it.
  • The affected components, URLs, or API endpoints.
  • Your assessment of severity and any proof-of-concept you are comfortable sharing.
  • Whether you have already disclosed the issue to anyone else.

If you prefer to encrypt your report, you may request our PGP public key by writing to the same address. We will provide it within one business day.

Please do not include malicious payloads, execute destructive actions, or attempt to access data that does not belong to you as part of your report.

3. Safe harbor

We consider security research conducted in compliance with this policy to be authorized under applicable computer fraud and abuse laws. To the extent permitted by law, ThreatSpire will not pursue legal action against you for:

  • Accessing our systems or data in good faith, solely for the purpose of identifying and reporting vulnerabilities.
  • Activities that might otherwise violate our terms, if those activities are necessary to the research and are conducted within this policy.
  • Communicating about the vulnerability to us or to others after we have confirmed that the issue has been remediated or a reasonable time has passed.

Safe harbor applies only to research conducted within the scope and guidelines described in this policy. It does not apply to research that is reckless, destructive, or primarily intended to cause harm.

4. Researcher guidelines

To keep everyone safe and to ensure your research is in good faith, please:

  • Do not access, modify, or destroy data that does not belong to you.
  • Do not conduct denial-of-service testing, send spam, or perform load testing against our infrastructure.
  • Do not pivot from your research into other tenants' accounts, customer data, or internal systems outside the scope below.
  • Minimize the impact of your testing. Use test accounts where possible and stop immediately if you encounter customer data.
  • Do not publicly disclose a vulnerability before we have had a reasonable time to investigate and remediate it. We aim to acknowledge reports within three business days and will agree on a disclosure timeline with you.
  • Do not exploit a vulnerability for any reason other than testing and reporting it to us.
  • Do not share your access with others or use it for any purpose other than good-faith research under this policy.

5. Scope

In scope. The following assets and services are in scope for this policy:

  • The ThreatSpire web application and its authenticated and unauthenticated interfaces.
  • Published ThreatSpire APIs, including REST and webhook endpoints.
  • Official ThreatSpire domains and subdomains that serve the application or its documentation.

Out of scope. The following are out of scope and should not be tested:

  • Third-party services, vendors, or integrations not operated by ThreatSpire.
  • Social engineering or phishing attacks against our employees, customers, or users.
  • Physical security attacks on our offices, hardware, or personnel.
  • brute-forcing credentials of accounts you do not own, except where explicitly part of a scoped test environment we have set up for you.
  • Vulnerabilities in third-party open-source dependencies unless they directly and demonstrably affect the ThreatSpire application in a way we can mitigate.

If you are unsure whether something is in scope, please ask us before testing.

6. What to expect

Acknowledgment. We aim to acknowledge receipt of your report within three business days. If we need more information, we will ask promptly.

Status updates. We will keep you informed of our progress as we investigate and remediate the issue. You can expect an update at least every seven business days until the issue is resolved or closed.

Remediation target. We target remediation of critical and high-severity vulnerabilities within 30 days of validation, and medium and low severity within 90 days. Timelines may vary depending on complexity and dependencies.

Recognition. We publicly credit researchers who report valid, in-scope vulnerabilities, unless you request anonymity. At this time, we do not operate a formal bug bounty program with cash rewards, but we are happy to offer public thanks, letters of appreciation, and, where appropriate, swag.

Disclosure. Once a vulnerability has been remediated, we welcome coordinated public disclosure. We ask that you give us at least 30 days after remediation before publishing details, and that you share a draft of your write-up with us for factual review if possible.

7. Contact

Security reports and questions about this policy should be sent to security@threatspire.com.

ThreatSpire LLC
Dover, Delaware
United States

This page is provided for transparency and is not legal advice. For questions, contact legal@threatspire.com. See also our Terms of Service, Privacy Policy, Cookie Policy, Responsible Disclosure, and DPA.