If you believe you have found a security vulnerability in any RiskInnovate-owned property, please report it to us so we can address it before it affects customers.
How to report
Send vulnerability details to security@riskinnovate.com. Encrypt sensitive information with our PGP key (fingerprint available on request).
What to include
- Affected asset (domain, endpoint, package, deliverable)
- Steps to reproduce, with the smallest reliable proof-of-concept
- Impact assessment from your perspective
- Any logs, screenshots, or recordings that help verify the finding
What we commit to
- Acknowledge receipt within 2 business days
- Triage and provide an initial status within 5 business days
- Keep you updated on progress and timeline
- Credit you in our hall of fame if you wish (and remediation has shipped)
Out of scope
- Denial-of-service or volumetric attacks
- Social engineering of staff, customers, or sub-processors
- Findings that require physical access to RiskInnovate offices
- Reports generated solely by automated scanners without verification
Safe harbor
We will not pursue legal action against researchers who comply with this policy and act in good faith.
This page is a working draft of our disclosure policy. The signed-off version will be published ahead of general availability.