Responsible Disclosure Policy
Last updated May 18, 2026
The security of our systems and user data is Cyberhaven's top priority. We appreciate researchers who act in good faith to identify and report potential vulnerabilities. While we do not have a bug bounty compensation program at this time, we are happy to offer recognition for your ethical work in keeping the software community safe and secure.
Scope
This policy covers all internet-facing systems, applications, and websites owned, operated, or controlled by Cyberhaven, including the Cyberhaven domain and related subdomains. It does not cover systems owned or operated by third parties, even those hosted under a Cyberhaven domain.
Covered vulnerability types include misconfigurations, CSRF, privilege escalation, SQL injection, XSS, and directory traversal attacks. Not every submission will qualify as a vulnerability, but we will review all reports.
How to Submit
Email [email protected] with the following:
- Vulnerability type and severity
- Affected URL or system location
- Steps to reproduce
- Proof-of-concept (scripts, screenshots, or recordings)
- Potential impact and any suggested remediation
Please submit one vulnerability per report and note any plans for public disclosure.
Research Guidelines
To qualify for safe harbor, your research must:
- Target only Cyberhaven systems for the purpose of identifying vulnerabilities
- Avoid accessing, exfiltrating, or retaining any data beyond what is minimally necessary to demonstrate the vulnerability
- Avoid disrupting systems, degrading user experience, or conducting denial-of-service attacks
- Not involve social engineering of any Cyberhaven employee or contractor
- Coordinate timing of any public disclosure with us before publishing
- Not demand payment or make threats as a condition of disclosure
- Comply with all applicable laws, and
- Not be subject to OFAC or other U.S. sanctions
What You Can Expect From Us
- Acknowledgment within 3 business days
- Good-faith evaluation of every report
- Notification if a vulnerability is confirmed, and updates on remediation progress
- Protection of your identity unless legally required to disclose
- Attribution on any public disclosure (with your permission)
- No legal action for research conducted in accordance with this policy
Safe Harbor
We will not pursue legal action against researchers who make a good-faith effort to follow these guidelines. Safe harbor requires unconditional disclosure and prohibits extortion or threats.
Questions? Contact [email protected] before proceeding.