Responsible disclosure

Last updated 27 June 2026

We treat the security of the platform and the data it holds as core to the product. If you have found a vulnerability, we want to hear about it, and we will work with you to confirm and fix it. This policy explains how to report and what you can expect from us in return.

How to report

Send your report to security@shadowfleet.ai. Include enough detail for us to reproduce the issue: the affected endpoint or feature, the steps, the impact you believe it has, and any proof-of-concept or logs. If a finding is sensitive, tell us and we will arrange an encrypted channel before you share details.

What to expect from us

• We acknowledge reports within three business days.
• We give an initial assessment, including whether we are treating it as in scope, within ten business days.
• We keep you updated as we work toward a fix and let you know when it ships.
• With your agreement, we are glad to credit you once the issue is resolved.

Safe harbour

If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you for your research, and we will treat your work as authorized under applicable computer-misuse law. Act in good faith, avoid privacy violations and service disruption, and give us reasonable time to respond before any public disclosure.

Guidelines

• Only test against your own account or accounts you have explicit permission to use.
• Do not access, modify or delete data that is not yours, and stop as soon as you have demonstrated a problem.
• Do not run automated scanning that degrades the service, and do not use social engineering, physical attacks or denial of service.
• Keep details of any vulnerability confidential until we confirm it is resolved.

Out of scope

Reports that generally do not qualify include: missing security headers or best-practice suggestions without a demonstrated impact, rate-limiting on non-sensitive endpoints, issues that require a compromised device or a man-in-the-middle position, social-engineering and spam, and findings in third-party services we do not operate. If you are unsure, send it anyway and we will tell you.

Disclosure

We follow coordinated disclosure. We ask that you give us a reasonable window to remediate before publishing, and we will agree timing with you so a fix is in place first.