Responsible Disclosure Policy & Bug Bounty
Effective May 1, 2026 — this page is the researcher-facing summary of Improvado's Responsible Disclosure Policy (RDP-001, version 1.5) and describes how to report vulnerabilities in Improvado's products and infrastructure, what you can expect from us, and the protections we extend to good-faith security research.
How to Submit a Vulnerability
Report vulnerabilities to Improvado's security team by email at security@improvado.io (preferred channel). Our machine-readable reporting contact is also published at /.well-known/security.txt (RFC 9116). Researchers who wish to encrypt their submission may request our PGP key via the same email.
What to include in a report:
- A clear, English-language description of the vulnerability.
- The affected asset, URL, or component.
- Steps to reproduce, including proof-of-concept code or screenshots where helpful.
- Impact assessment — what the vulnerability could enable an attacker to do.
- Suggested remediation, if available.
- Any plans or intentions for public disclosure, including timing.
- Your contact information.
Scope
In scope:
- The Improvado customer-facing platform at the publicly published Improvado domains.
- Improvado customer-facing APIs at the publicly published API endpoints.
- Improvado-owned and -operated public domains and subdomains that host Improvado services.
Out of scope (not covered by Safe Harbor):
- Customer data in any form, including customer-controlled credentials.
- Third-party services integrated with Improvado — report vulnerabilities in those services to the relevant vendor.
- Customer-controlled tenants or destinations accessed via Improvado.
- Social engineering, phishing, vishing, or smishing against Improvado's workforce, contractors, or vendors.
- Denial-of-service (DoS/DDoS) testing and large-scale rate-limit-bypass testing.
- Spam or automated mass-account creation.
- Physical-security testing and vulnerabilities requiring physical access to a device.
- Purely theoretical findings with no demonstrable impact.
- Reports of outdated software versions without a demonstrated exploit.
- Best-practice or hardening recommendations with no associated vulnerability (for example, missing security headers without an exploit).
Rules of Engagement
Authorized testing includes black-box testing of public endpoints, authentication and authorization testing using accounts you legitimately control, testing aligned with the OWASP Top 10 and OWASP API Security Top 10, and reasonable, low-volume API testing consistent with normal usage.
You must not:
- Access, modify, exfiltrate, retain, or share Improvado data, customer data, or other users' data beyond the minimum needed to demonstrate the vulnerability.
- Use automated scanners in a way that materially affects service availability.
- Attempt to phish or social-engineer Improvado workforce members.
- Move laterally beyond the initial finding to pivot into other systems.
- Disclose findings publicly before the agreed coordinated-disclosure timeline expires.
If you inadvertently encounter customer data or other sensitive third-party information, stop testing immediately, do not access or copy further data, securely delete any data already accessed, and note this in your report.
Safe Harbor
Improvado considers good-faith security research conducted within the scope and rules above to be authorized. For such research, Improvado will not pursue civil action under the U.S. Computer Fraud and Abuse Act (CFAA) or the Digital Millennium Copyright Act (DMCA), or under analogous laws in your jurisdiction, and will not initiate or support criminal complaints related to the research. Safe Harbor does not apply to activity outside the scope of this policy, to violations of the rules of engagement, or to harm caused to Improvado, its customers, or third parties. If you are unsure whether a planned test is in scope, ask us first at security@improvado.io.
What You Can Expect from Improvado
- Acknowledgement of your report within 2 business days.
- A triage outcome (validated / not applicable / duplicate / out of scope) within 10 business days for most reports.
- An expected remediation timeline following triage, aligned with our severity-based targets (Critical: 7 days; High: 30 days; Medium: 90 days; Low: 180 days or documented acceptance).
- Open dialogue throughout the lifecycle, including notification at each review stage.
- Credit in public communications following remediation, where you consent to it.
Coordinated Disclosure
The default coordinated-disclosure window is 90 calendar days from the date Improvado acknowledges the vulnerability. For critical vulnerabilities that require customer-facing changes or third-party coordination, we may request an extended window; a shorter or longer timeline can be mutually agreed. Where a vulnerability is being actively exploited, we prioritize remediation immediately and may publish advisories ahead of the standard window.
Bug Bounty
Improvado operates a bug-bounty program for valid, in-scope findings. Bounty amounts are determined case by case based on severity (CVSS), exploit complexity, blast radius, novelty, and the quality of the report. In addition to monetary bounties, all valid reports receive public credit (with your consent) following remediation, and Improvado merchandise may be offered as additional recognition.
AI / LLM Findings
Reports relating to AI and LLM features of the Improvado platform — including prompt injection, output manipulation, jailbreaks, model-disclosure issues, and unsafe model behavior — are accepted under this policy and evaluated with the same severity framework.