InsightPilot Vulnerability Disclosure Policy

Last updated: 10/11/2025

Our Commitment

InsightPilot values the security of our customers and systems. We welcome reports of potential vulnerabilities discovered in our websites and services and are committed to working with security researchers to address issues promptly and responsibly.

Scope

  • In scope: Any InsightPilot-owned domain and service, including insightpilot.com and subdomains we operate.
  • Out of scope: Third-party services not operated by InsightPilot, social engineering, physical attacks, denial-of-service or resource exhaustion, spam/DMARC alignment suggestions, and findings without demonstrable security impact.

How to Report

Email [email protected] with:

  • A clear description of the issue and its impact
  • Step-by-step reproduction instructions (proof of concept)
  • URLs/endpoints, affected parameters, request/response samples, and timestamps
  • Any relevant screenshots or short videos
  • Your contact info and preferred credit name (if you'd like public acknowledgment)

Coordinated Disclosure & SLAs

  • Acknowledgment: within 72 hours
  • Triage/assessment: within 5 business days
  • Remediation targets: based on severity (we aim for 30 days for high severity)

Please allow us a reasonable time to remediate before public disclosure. We typically request coordination until a fix is deployed or up to 90 days, whichever comes first.

Safe Harbor

If you make a good-faith effort to comply with this policy during your security research, we will not initiate legal action against you. We consider the following guidelines as part of good-faith research:

  • Do not access, modify, or exfiltrate data beyond what is necessary to prove the issue
  • Do not disrupt our services or degrade availability
  • Do not violate privacy or confidentiality
  • Do not use automated scanning beyond a light touch necessary to reproduce
  • Comply with applicable laws and do not exploit the vulnerability

Recognition & Rewards

We currently do not run a paid bug bounty. However, we are happy to acknowledge verified, non-duplicate, impactful submissions on our acknowledgments page with your preferred name and a link (if desired).

Encryption (Optional)

If needed, request a PGP key via [email protected]. We will share a public key for encrypted communication.

Contact

[email protected]
/.well-known/security.txt