Skip to content

Vulnerability Disclosure Policy

Last updated: May 2026

We take the security of InsideDB seriously. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.

Reporting a Vulnerability

Send your report to beric@insidedb.ai with as much detail as possible. We recommend encrypting sensitive information with our GPG key if available.

A good report includes:

  • A clear description of the vulnerability and its impact
  • Steps to reproduce the issue (proof-of-concept code, screenshots, or a video)
  • The affected component, endpoint, or version
  • Any potential mitigations you have identified

Response Timeline

  • Acknowledgement: We will acknowledge your report within 48 hours and provide an initial assessment.
  • Triage: We will confirm the vulnerability and determine its severity within 5 business days.
  • Fix: We aim to resolve critical issues within 7 days and high-severity issues within 30 days. Lower-severity issues are queued into our regular release cycle.
  • Disclosure: We will coordinate public disclosure with you. We will not publish details without your agreement, and we ask that you give us reasonable time to fix the issue before disclosing it publicly.

Safe Harbor

When researching and reporting security vulnerabilities under this policy, we consider these activities to be:

  • Authorized — We will not pursue legal action against you for testing or reporting vulnerabilities in accordance with this policy.
  • Exempt — We will not bring a DMCA claim against you for circumventing technical controls necessary to test a vulnerability.
  • Protected — We will not suspend or terminate your InsideDB account solely for security research conducted in good faith.

This safe harbor applies as long as you:

  • Act in good faith and do not exploit the vulnerability beyond what is necessary to demonstrate it
  • Do not access, modify, or delete data that does not belong to your own account
  • Do not degrade the service (denial of service, resource exhaustion, spam)
  • Report the vulnerability to us before disclosing it to anyone else

Scope

This policy covers:

  • The InsideDB web application at insidedb.ai
  • The InsideDB API at insidedb.ai/api/*

Out of Scope

The following are not covered by this policy:

  • Denial of service (DoS) attacks or resource exhaustion
  • Social engineering or phishing attacks targeting InsideDB employees or users
  • Physical attacks against our infrastructure or offices
  • Vulnerabilities in third-party services that we use (report those to the respective vendor)
  • Missing security headers that do not directly lead to an exploitable vulnerability
  • Clickjacking on pages with no sensitive actions
  • Issues related to email SPF/DKIM/DMARC that do not enable email spoofing
  • Theoretical vulnerabilities without a working proof-of-concept

Recognition

We believe in crediting security researchers who help us improve. With your permission, we will add your name or handle to our Security Hall of Fame. We do not currently offer monetary rewards (bug bounties), but researchers who report critical vulnerabilities will receive our sincere gratitude and public acknowledgment.

This policy may be updated from time to time. The current version is always available at insidedb.ai/security and at insidedb.ai/.well-known/security.txt.