InsightPilot Vulnerability Disclosure Policy
Last updated: 12/7/2025
Our Commitment
InsightPilot values the security of our customers and their financial data. As an AI-powered FX reconciliation platform handling sensitive treasury information, we maintain rigorous security standards and welcome reports of potential vulnerabilities from security researchers.
Scope
In Scope
- Any InsightPilot-owned domain (
insightpilot.comand subdomains) - Web application and user dashboard
- API endpoints (
api.insightpilot.com) - Authentication and authorization systems
- Bank connectivity integration layer (our side only)
Out of Scope
- Third-party banking portals and systems not operated by InsightPilot
- ERP systems (Sage X3, SAP, etc.) not operated by InsightPilot
- Open banking providers (Powens, Tink) — report directly to them
- Social engineering, phishing, or physical attacks
- Denial-of-service or resource exhaustion attacks
- Findings without demonstrable security impact
Financial Data Guidelines
IMPORTANT: Security researchers must NOT attempt to access, exfiltrate, view, or manipulate actual customer financial data (FX trades, bank statements, reconciliation results, counterparty information) as part of testing. Use of test/sandbox environments with synthetic data is required. Any inadvertent exposure to customer financial data must be reported immediately and not retained or disclosed.
How to Report
Email [email protected] with:
- A clear description of the issue and its potential impact on financial data security
- Step-by-step reproduction instructions (proof of concept)
- URLs/endpoints, affected parameters, request/response samples, and timestamps
- Relevant screenshots or short videos (ensure no customer data is visible)
- Your contact info and preferred credit name (if you'd like public acknowledgment)
Coordinated Disclosure & SLAs
| Stage | Timeline |
|---|---|
| Acknowledgment | Within 72 hours |
| Triage/Assessment | Within 5 business days |
| Critical Severity (data exposure risk) | 15 days remediation target |
| High Severity | 30 days remediation target |
Please allow us reasonable time to remediate before public disclosure. We request coordination until a fix is deployed or up to 90 days, whichever comes first.
Safe Harbor
If you make a good-faith effort to comply with this policy during your security research, we will not initiate legal action against you. We consider the following guidelines as part of good-faith research:
- Do not access, modify, or exfiltrate data beyond what is necessary to prove the issue
- Do not disrupt our services or degrade availability
- Do not violate privacy or confidentiality
- Do not use automated scanning beyond a light touch necessary to reproduce
- Comply with applicable laws and do not exploit the vulnerability
Recognition & Rewards
We currently do not run a paid bug bounty. However, we are happy to acknowledge verified, non-duplicate, impactful submissions on our acknowledgments page with your preferred name and a link (if desired).
Security Standards
InsightPilot implements the following security measures for financial data protection:
| Measure | Standard |
|---|---|
| Encryption at Rest | AES-256 encryption for all stored financial data |
| Encryption in Transit | TLS 1.3 for all data transmission |
| Authentication | OAuth 2.0 / API keys with rate limiting |
| Access Control | Role-based access control (RBAC) with audit logging |
| Infrastructure | EU-region hosting with SOC 2 Type II certified providers |
Encryption (Optional)
If needed, request a PGP key via [email protected]. We will share a public key for encrypted communication.