SpadeBrite

Legal

Security & Responsible Disclosure

Last updated: 2026-05-11

We welcome the security community's help in keeping the SpadeBrite Service safe. This page describes how to report vulnerabilities and what to expect from us in return.

Template notice. This document is a working draft provided as a starting point. It is not legal advice and has not been reviewed by counsel. Please have qualified legal counsel review and adapt this document before relying on it in production.

01How to report

Send vulnerability reports to security@spadebrite.com. Please include a clear description, reproduction steps, and any proof-of-concept material necessary to validate the issue. We support PGP for sensitive reports on request.

02Scope

In scope:

  • the SpadeBrite website and product surfaces;
  • API endpoints documented in our developer materials;
  • authentication, authorization, and account-management flows.

Out of scope:

  • denial-of-service or volumetric testing;
  • social engineering, physical attacks, or attacks on third-party services;
  • findings produced by automated scanners without demonstrated impact.

03Safe-harbor commitment

We will not pursue legal action against researchers acting in good faith who follow this policy, avoid privacy violations, destroy any retrieved data, and give us reasonable time to remediate before public disclosure.

04Our response

We aim to acknowledge reports within five business days, communicate a tentative remediation timeline, and credit researchers (with permission) once an issue is resolved.