Responsible Disclosure
We welcome reports from security researchers. If you believe you've found a vulnerability in Serpentine, we want to hear from you.
Reporting a vulnerability
Send your report to security@spnt.io. Where possible, encrypt sensitive details using our PGP key, available at /.well-known/security.txt.
Please include:
- A clear description of the issue and its potential impact
- Steps to reproduce, including any proof-of-concept code or requests
- The affected URL, endpoint, or component
- Your contact details so we can follow up
Our commitment to you (safe harbor)
We will not pursue legal action against researchers who act in good faith and comply with this policy. Specifically, if you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, we will work with you to understand and resolve the issue quickly, and we will recognize your contribution if you are the first to report a previously unknown issue that we act upon.
Rules of engagement
- Only test against your own account or accounts you have explicit permission to test
- Do not access, modify, or delete data that does not belong to you
- Do not perform attacks that degrade service availability (DoS/DDoS) or spam
- Do not use social engineering, phishing, or physical attacks against our staff or facilities
- Give us reasonable time to remediate before any public disclosure
Scope
In scope: our production web properties under spnt.io and the Serpentine application. Out of scope: third-party services we use (report those to the respective vendor), findings that require physical access, and theoretical issues without a demonstrable security impact.
Response timelines
- Acknowledgement of your report within 3 business days
- An initial assessment and triage within 10 business days
- Regular updates on remediation progress for valid reports
Related policies
See our Security page for how we protect our infrastructure, and our Responsible Use policy for permitted use of the platform.