Trust & Security

Vulnerability Disclosure Policy.

Threat Detective takes the security of our systems seriously, and we value the security community. Responsible disclosure of vulnerabilities helps us keep our customers, and their patients, safe.

Last updated: 16 April 2026

If you believe you have found a security vulnerability in any of our systems, we encourage you to report it to us as described in this policy.

How to report a vulnerability

Send your report to security@threatdetectivehq.com.

If your report contains sensitive information, please encrypt it using our PGP key, available at /.well-known/pgp-key.asc.

Key ID
Security <security@threatdetectivehq.com>
Fingerprint
1382 95B8 C9C0 7843 A0CB  5D40 ADE5 AB07 1E37 063F
Valid until
2030-04-16

Please include

  • A clear description of the vulnerability.
  • Steps to reproduce, including any proof-of-concept code, scripts, or screenshots.
  • The affected product, URL, or endpoint.
  • Your assessment of the potential impact.
  • Any suggested remediation (optional).

Please do not include

  • Personally identifiable information about Threat Detective customers or their users.
  • Customer data accessed during your research.
  • Credentials, tokens, or session cookies belonging to others.

If you inadvertently access data that does not belong to you, stop immediately and include that fact in your report. Do not save, copy, transfer, or otherwise retain the data.

What to expect from us

  • Acknowledgement of your report within 3 business days.
  • Initial triage and severity assessment within 10 business days.
  • A communicated remediation plan, including expected timeline, within 30 days of triage.
  • Periodic updates if remediation takes longer than initially expected.
  • Notification when the issue is resolved, with an invitation to verify the fix.

We aim to remediate confirmed vulnerabilities according to severity:

SeverityTarget remediation
CriticalWithin 7 days
HighWithin 14 days
MediumWithin 90 days
LowBest effort

Scope

The following systems are in scope:

  • threatdetectivehq.com: our marketing website
  • eu.threatdetectivehq.com: the Threat Detective application
  • api.threatdetectivehq.com: our public and authenticated APIs
  • sbom.threatdetectivehq.com: our public SBOM portal

Out of scope

  • Social engineering of our staff, customers, or suppliers (including phishing).
  • Physical attacks against our offices, staff, or infrastructure.
  • Denial of service (DoS), distributed denial of service (DDoS), or volumetric attacks.
  • Attacks requiring physical access to a user's device.
  • Spam, content injection, or social media abuse.
  • Vulnerabilities in third-party services or dependencies that we do not operate (e.g. Cloudflare, Hetzner). Please report these to the relevant vendor.
  • Recently disclosed zero-day vulnerabilities in third-party software (we ask for a 30-day grace period).
  • Reports generated solely by automated scanners without demonstrated impact.
  • Missing security headers, cookie flags, or TLS configuration issues without a demonstrated, exploitable impact.
  • Self-XSS, clickjacking on pages without sensitive actions, or CSRF on unauthenticated endpoints.
  • Username or email enumeration on authentication, registration, or password reset flows.
  • Rate limiting or brute-force issues on non-authentication endpoints.
  • Testing against customer tenants or customer data without explicit written authorisation from that customer.

Safe harbour

When conducting vulnerability research in line with this policy, we consider your activity to be:

  • Authorised under the Computer Misuse Act 1990 and equivalent laws, and we will not initiate or support legal action against you.
  • Exempt from restrictions in our Terms of Service that would otherwise prohibit security testing.

This safe harbour applies only to activity that is consistent with this policy. If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorisation known.

We ask that you:

  • Act in good faith and avoid privacy violations, data destruction, or service disruption.
  • Only interact with accounts you own or have explicit permission to access.
  • Give us a reasonable opportunity to remediate before publicly disclosing.

Coordinated disclosure

We operate a coordinated disclosure model. We ask that you do not publicly disclose a vulnerability until we have had a reasonable opportunity to remediate, typically 90 days from initial report, or sooner if a fix is released.

We are happy to discuss disclosure timing with you and will work together in good faith if more time is needed.

Recognition

With your permission, we publish the names (or handles) of researchers who report valid vulnerabilities to our Hall of Fame. We do not currently offer monetary rewards.

Questions

If anything in this policy is unclear, or if you would like to discuss a potential report before submitting it, contact us at security@threatdetectivehq.com.

This policy is adapted from the NCSC Vulnerability Disclosure Toolkit and aligned with ISO/IEC 29147.