Responsible Disclosure

How to report

Email security@subnomic.com with:

• A clear description of the vulnerability and its potential impact;
• Step-by-step instructions to reproduce it;
• Any proof-of-concept code, requests or screenshots;
• Your name or handle if you'd like to be credited.

Our commitment

1. We'll acknowledge your report within 3 business days;
2. We'll provide an assessment and expected remediation timeline;
3. We'll keep you updated as we work on a fix;
4. We'll credit you (with your permission) once the issue is resolved.

Scope

The following are in scope:

• The Subnomic web application and API;
• The Subnomic agent and control plane;
• Our public websites.

The following are out of scope:

• Volumetric denial-of-service (DoS/DDoS) attacks;
• Social engineering of our staff, users or vendors;
• Physical attacks against our offices or data centers;
• Reports from automated scanners without a demonstrated, exploitable impact;
• Issues in third-party services we do not control.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your actions authorized, we will not pursue or support legal action against you, and we will work with you to understand and resolve the issue quickly. Please act in good faith: do not access, modify or destroy data that isn't yours, avoid privacy violations and service degradation, and only interact with accounts you own or have explicit permission to test.

Disclosure

Please give us a reasonable opportunity to remediate before disclosing publicly. We're happy to coordinate a disclosure timeline with you. We currently do not operate a paid bug-bounty program, but we deeply appreciate and will publicly acknowledge valid reports.

Contact

Questions about this policy? Email security@subnomic.com. See also our Security overview.