HeuristicworksHeuristicworks Trust Center

Vulnerability Disclosure Policy

Version 1.0Effective 2026-07-01Heuristicworks LLC

Vulnerability Disclosure Policy

Supported Versions

Version Supported
Latest production
All prior versions

Only the current production deployment at spexsure.com receives security fixes.

Reporting a Vulnerability

Do not open a public GitHub issue for security vulnerabilities.

Report vulnerabilities via one of the following:

What to include

Please provide:

  1. A clear description of the vulnerability
  2. Steps to reproduce (proof-of-concept if possible)
  3. The potential impact
  4. Your suggested severity (Critical / High / Medium / Low)

What to expect

Milestone Target
Acknowledge receipt Within 72 hours
Initial assessment Within 7 days
Remediation — Critical Within 24 hours
Remediation — High Within 7 days
Remediation — Medium / Low Within 30 days

We will notify you when the issue is resolved and credit you in the release notes (unless you prefer to remain anonymous).

Scope

In scope:

  • Authentication and session management
  • API endpoints (/api/trpc/*, /api/prd/*, /api/webhooks/*)
  • Data exposure or injection vulnerabilities
  • BYOK key handling
  • Stripe and Jira OAuth flows
  • Prompt injection in AI pipeline

Out of scope:

  • Denial-of-service attacks
  • Social engineering of Spexsure staff
  • Findings from automated scanners without demonstrated exploitability
  • Issues in third-party services (Stripe, Anthropic, Supabase, Jira)

Responsible Disclosure

We ask that you:

  • Give us reasonable time to remediate before public disclosure
  • Do not access, modify, or exfiltrate data that does not belong to you
  • Do not disrupt production services

We commit to:

  • Treating all reports in good faith
  • Not pursuing legal action against researchers acting in good faith
  • Crediting reporters who wish to be named

Contact

security@spexsure.com — PGP key available on request.