Product security

Security researchers make us stronger.

We build security products, so we hold ours to a high bar — and we welcome good-faith research that helps us do better. This page explains how we secure our platform and how to report a vulnerability under our disclosure program.

Report a vulnerability Visit the Trust Center
How we secure our products

Security is engineered in, not bolted on

From design to deployment, every change to our platform passes through layered controls built and run by our own security team.

Secure development

Mandatory code review, automated SAST/DAST, dependency scanning, and signed builds. Secrets never live in source, and every release is traceable.

Continuous testing

Independent penetration tests at least annually, ongoing red-team exercises, and a bug bounty program keep us honest year-round.

Hardened by default

Least-privilege access, tenant isolation, encryption everywhere, and 24/7 monitoring of our own estate by the same SOC that protects customers.

Vulnerability disclosure policy

Responsible disclosure

S-Security is committed to keeping our customers safe. If you believe you've found a security vulnerability in our products or infrastructure, we want to hear from you and will work with you to resolve it quickly. This policy describes our scope, safe-harbor commitment, and how to report.

Scope

In scope:

  • app.s-security.io and the customer dashboard
  • The S-Security public API and webhooks
  • www.s-security.io and related marketing properties
  • The S-Security endpoint agent and official integrations

Out of scope:

  • Denial-of-service, volumetric, or resource-exhaustion testing
  • Social engineering of our staff, customers, or vendors
  • Physical attacks against our offices or data centers
  • Findings from automated scanners without a demonstrated, reproducible impact
  • Third-party services not operated by S-Security

Safe harbor

We will not pursue or support legal action against researchers who, in good faith, follow this policy. Specifically, if you make a good-faith effort to comply, we consider your research authorized under relevant computer-misuse and anti-circumvention laws, we will work with you to understand and resolve the issue promptly, and we will not bring a claim against you for accidental, good-faith violations. Stop and contact us if you encounter customer data; do not access, modify, or store more data than necessary to demonstrate the issue.

How to report

Email a detailed report to security@s-security.io. Please include:

  • A clear description of the vulnerability and affected asset;
  • Step-by-step reproduction instructions or a proof of concept;
  • The potential impact and any suggested remediation; and
  • Your contact details (and handle, if you'd like credit).
Encrypted reporting. For sensitive findings, encrypt your report with our PGP key. Request the current public key and fingerprint from security@s-security.io, or download it from /.well-known/security.txt. We accept encrypted submissions and will respond in kind.

What to expect

We acknowledge reports within 2 business days, provide a triage assessment within 5 business days, and keep you updated through remediation. We ask that you give us a reasonable window — typically up to 90 days — to fix validated issues before public disclosure, and that you coordinate timing with us. We're happy to credit you once a fix is shipped.

Bug bounty program

Eligible, previously unreported vulnerabilities earn rewards based on severity (CVSS) and impact, ranging from recognition to four-figure payouts for critical findings. Rewards are at our discretion and require compliance with this policy. Ask us for an invitation to our private program.

Request an invite

Hall of fame

We're grateful to the researchers who help keep S-Security safe. With their permission, we recognize valid contributors here.

  • R. Mehta — authentication bypass, dashboard
  • L. Andersson — IDOR in reporting API
  • K. Owusu — stored XSS, admin console
  • J. Park — SSRF in integration connector
  • M. Costa — privilege escalation, agent
Found something?

Help us keep S-Security secure

Report responsibly, get credited, and join the researchers who make our platform safer for thousands of organizations.

Email security@s-security.io View our security posture