HeuristicworksHeuristicworks Trust Center

Vulnerability Disclosure Policy

Heuristicworks LLC

Vulnerability Disclosure

Heuristicworks LLC  ·  Responsible disclosure policy

security@spexsure.com

We take the security of our products and customer data seriously. If you believe you have found a security vulnerability in any Heuristicworks or Spexsure product, please report it to us responsibly. We will work with you to understand and address the issue promptly.


How to Report

Send your report to security@spexsure.com with the subject line "Security Vulnerability Report".

We prefer reports in English. Please include as much detail as possible to help us reproduce and assess the issue.

What to include

  • A description of the vulnerability and its potential impact
  • The product or URL affected (e.g., spexsure.com, heuristicworks.com)
  • Steps to reproduce, including any proof-of-concept code or screenshots
  • Your name and contact information (optional — anonymous reports are accepted)

Response Timeline

  • Acknowledgement: Within 48 hours of receipt
  • Triage and severity assessment: Within 5 business days
  • Remediation target: Critical within 24 hours · High within 7 days · Medium/Low within 30 days
  • Disclosure: We will coordinate with you before any public disclosure

Safe Harbour

We will not take legal action against researchers who:

  • Report a vulnerability promptly and in good faith
  • Do not access, modify, or delete data beyond what is strictly necessary to demonstrate the vulnerability
  • Do not disrupt or degrade the services of Heuristicworks or its customers
  • Do not disclose the vulnerability to third parties before it has been addressed
  • Do not use the vulnerability for personal gain

This safe harbour applies to security research conducted in good faith under the terms described here. It does not extend to activity that constitutes criminal conduct under applicable law.


Scope

The following are in scope for responsible disclosure:

  • spexsure.com and all subdomains
  • heuristicworks.com and all subdomains
  • Spexsure web application (authentication, data access, API endpoints)
  • Heuristicworks product APIs

Out of Scope

The following are not in scope:

  • Denial of service (DoS/DDoS) attacks or rate-limit testing at scale
  • Social engineering or phishing of Heuristicworks employees
  • Physical access attacks
  • Vulnerabilities in third-party services (report to the relevant third party)
  • Automated scanning that degrades service quality
  • Findings from software not actively maintained by Heuristicworks

Acknowledgements

We thank all security researchers who responsibly disclose vulnerabilities to us. With your consent, we will acknowledge your contribution publicly.


Contact

For our internal security standards, see the Information Security Policy.