Vulnerability Disclosure Policy
Version 1.0Effective 2026-07-01Heuristicworks LLC
Vulnerability Disclosure Policy
Supported Versions
| Version | Supported |
|---|---|
| Latest production | ✅ |
| All prior versions | ❌ |
Only the current production deployment at spexsure.com receives security fixes.
Reporting a Vulnerability
Do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities via one of the following:
- Email: security@spexsure.com
- In-app bug report: spexsure.com/x/bugs — mark subject as "Security"
What to include
Please provide:
- A clear description of the vulnerability
- Steps to reproduce (proof-of-concept if possible)
- The potential impact
- Your suggested severity (Critical / High / Medium / Low)
What to expect
| Milestone | Target |
|---|---|
| Acknowledge receipt | Within 72 hours |
| Initial assessment | Within 7 days |
| Remediation — Critical | Within 24 hours |
| Remediation — High | Within 7 days |
| Remediation — Medium / Low | Within 30 days |
We will notify you when the issue is resolved and credit you in the release notes (unless you prefer to remain anonymous).
Scope
In scope:
- Authentication and session management
- API endpoints (
/api/trpc/*,/api/prd/*,/api/webhooks/*) - Data exposure or injection vulnerabilities
- BYOK key handling
- Stripe and Jira OAuth flows
- Prompt injection in AI pipeline
Out of scope:
- Denial-of-service attacks
- Social engineering of Spexsure staff
- Findings from automated scanners without demonstrated exploitability
- Issues in third-party services (Stripe, Anthropic, Supabase, Jira)
Responsible Disclosure
We ask that you:
- Give us reasonable time to remediate before public disclosure
- Do not access, modify, or exfiltrate data that does not belong to you
- Do not disrupt production services
We commit to:
- Treating all reports in good faith
- Not pursuing legal action against researchers acting in good faith
- Crediting reporters who wish to be named
Contact
security@spexsure.com — PGP key available on request.