Responsible disclosure
Found something? We want to hear from you
A clear, good-faith way to report a security issue to HiveSilo, with a written safe-harbor commitment and a defined response timeline. We do not pursue legal action for good-faith research, and we credit you publicly if you want us to. This policy is aligned to CISA Binding Operational Directive 20-01 and RFC 9116.
How to report
One address, monitored by a named responder
Email security@hivesilo.com
This is the primary channel. For sensitive findings, put "PGP required" in the subject and we will reply with our rotating encryption key. Our authoritative machine-readable contact record is published at /.well-known/security.txt.
Please do not open public issues
Do not file public tickets for security vulnerabilities. Because the architecture serves discreet, high-value clients, information about an attack surface can be misused against live tenants. Report privately and we will coordinate.
What to include
Clear reproduction steps, the impact (what an attacker can actually do), and the source addresses you tested from so we can reconcile with our logs. A scanner result without a working proof-of-concept is not enough for us to act on.
Safe harbor
Our commitment to good-faith researchers
If your research follows this policy, we will not pursue or support legal action against you for it, we will work with you to understand and fix the issue, and we will credit you publicly if you want.
"Good faith" means you make a reasonable effort to avoid privacy violations, data destruction, and service interruption; you give us a reasonable window to fix an issue before disclosing it publicly; you do not access or modify more data than is necessary to demonstrate the issue; and you do not demand payment as a condition of reporting. We extend the same safe harbor to penetration testers engaged by our customers, provided they email us beforehand with the customer's written authorization so we can coordinate the test window.
Scope
What is in and out of scope
In scope
Our production web surface across hivesilo.com, the public Beacon SDK as served from our content delivery network, and our enterprise SSO and SCIM endpoints. For automated testing, request an isolated sandbox tenant at security@hivesilo.com rather than testing production.
Out of scope
Findings against a customer's own systems or the third-party services we integrate with (report those to that vendor's program); social engineering of our people; physical attacks; denial-of-service; missing-header reports without an exploitation path; self-XSS without cross-user impact; and anything outside our current production code.
We deliberately do not publish internal architecture details, build internals, or the mechanics that would help an attacker, here or anywhere public. Reviewers receive what they need under a structured walkthrough.
Coordinated disclosure
Our target response timeline
Measured from receipt of a complete report. If we cannot meet a target, we will tell you before it expires and propose a revised schedule.
| Phase | Target |
|---|---|
| Acknowledgement of receipt | 48 hours, from a named responder |
| Triage outcome (accepted / duplicate / out of scope) | 5 business days |
| Remediation, Critical / High | 30 days |
| Remediation, Medium | 90 days |
| Remediation, Low | 180 days |
| Agreed public disclosure window | 90 days from triage, extendable by agreement |
We coordinate on CVE assignment and, for issues in shared primitives, engage the upstream maintainer first.
Supply-chain transparency
Every release is signed with Cosign, recorded in the Rekor public transparency log, and ships with an SBOM and SLSA provenance, with the hardware measurement published alongside the image digest. If you find a discrepancy between the public transparency log and what the running system attests, that is automatically in scope and high priority.
Hall of fame
Researchers who disclose responsibly are credited here with their consent and preferred name. No vulnerabilities have yet been responsibly disclosed. Be the first.
Bounty
We are in the process of funding a formal bug-bounty program. Until it launches, we offer public credit, swag, and a reference letter for responsible disclosures, and a monetary bounty will be retroactive for any Critical or High submitted before launch.
Contact
Report a security issue
Email security@hivesilo.com. For partnership inquiries from audit firms or bounty platforms, use the same address with "Partnership" in the subject.
The current verification status is published at the Trust Center. Enterprise pricing on inquiry.