Skip to content
Trust & Security

Vulnerability Disclosure

HarborGuard's product is vulnerability scanning, so we welcome — and rely on — the security research community to help us hold ourselves to the same standard. This page is our coordinated disclosure policy. As the program matures we will publish a PGP key and a /.well-known/security.txt; until then, plain email to the address below is the canonical channel.

How to report

  • Email: security@harborguard.co
  • PGP key: not yet published — encrypted reporting will be available alongside our first formal security audit.
  • security.txt: not yet published — planned alongside the PGP key.

Please include:

  • A clear description of the issue and its impact.
  • Reproduction steps, ideally with a minimal proof of concept.
  • The affected component (web app, API, sensor agent, specific endpoint).
  • Your name or handle as you would like it credited (or "anonymous").

We aim to acknowledge reports within two business days and provide a triage decision within five business days.

Scope

In scope:

  • The HarborGuard SaaS application at https://harborguard.co.
  • The public REST API under /api.
  • The HarborGuard sensor agent and its container image.
  • Authentication, authorization, and tenant-isolation logic.
  • Cryptographic implementations in customer-data paths.

Out of scope

  • Denial-of-service attacks, volumetric or otherwise.
  • Social engineering of HarborGuard staff, customers, or vendors.
  • Physical attacks against HarborGuard or its hosting provider.
  • Findings against third-party services we depend on (report those directly to the vendor; see Sub-processors).
  • Reports generated solely by automated scanners without demonstrated impact.
  • Best-practice recommendations without a concrete vulnerability (missing security headers, CSP weaknesses without a working bypass, SPF/DMARC posture, TLS configuration that meets industry baselines, etc.).
  • Self-XSS, clickjacking on unauthenticated pages with no security impact, or rate-limiting on non-authentication endpoints.
  • Vulnerabilities in customer-controlled configurations (their own SSO IdP, their own webhook endpoint, etc.).

Safe harbor

If you make a good-faith effort to comply with this policy during your security research, HarborGuard will:

  1. Consider your research authorized under the Computer Fraud and Abuse Act (and analogous state and international laws).
  2. Not pursue or support legal action related to your research.
  3. Work with you to understand and resolve the issue quickly.

Good-faith research means:

  • You only access data necessary to demonstrate the vulnerability, and you do not exfiltrate, modify, or destroy data.
  • You stop testing and notify us as soon as you confirm a vulnerability or encounter customer data.
  • You do not publicly disclose the issue until we have had a reasonable opportunity to remediate (typically 90 days, or as mutually agreed).
  • You do not violate any other applicable law.

If a third party initiates legal action against you for activities conducted in good faith under this policy, we will make our authorization known.

Disclosure timeline

  • Day 0: report received and acknowledged.
  • Day ≤5 (business): triage decision and severity assessment shared with reporter.
  • Day ≤90: remediation shipped for in-scope, valid findings (faster for high-severity issues).
  • Day 90+: coordinated public disclosure, with reporter credit unless anonymity is requested.

Recognition

HarborGuard does not currently operate a paid bug-bounty program. For valid reports we send a written thank-you and, where the reporter wishes, public credit in release notes and on our future Security Hall of Fame, which will be linked here once published.

Questions

For anything unclear about this policy, email security@harborguard.co before testing and we will respond.

Previous

Incident Response

Next

Changelog

On this page