← Back to Legal

Vulnerability Disclosure Policy

Coordinated, responsible disclosure of security vulnerabilities to protect our customers and the broader community.

Our Commitment to Security Research

S6 Security Labs values the security research community and recognizes the critical role researchers play in keeping the internet safe. We are committed to working with security researchers to understand and address vulnerabilities responsibly, protecting our customers and the broader security ecosystem.

Reporting a Vulnerability

How to Report

If you discover a security vulnerability in any S6 product, service, or website, please report it to our security team:

security@s6securitylabs.com

For sensitive reports, you may use PGP encryption. Our public key is available at /.well-known/security.txt

What to Include

To help us understand and address the issue quickly, please include:

  • Detailed Description: Clear explanation of the vulnerability and its potential impact
  • Affected Components: Product name, version number, specific features or endpoints
  • Reproduction Steps: Step-by-step instructions to reproduce the vulnerability
  • Proof of Concept: Code, screenshots, or video demonstration (if applicable)
  • Your Contact Information: Email address and preferred name/alias for acknowledgment
  • Suggested Remediation: If you have thoughts on how to fix it (optional but appreciated)

Coordinated Disclosure Timeline

S6 Security Labs follows a standard 90-day coordinated disclosure timeline designed to balance public safety with time needed for proper remediation:

1

Initial Response (within 72 hours)

We acknowledge receipt of your report and begin our initial assessment. You'll receive confirmation that we've received your report and an initial timeline.

2

Validation & Triage (Days 1-7)

Our security team reproduces and validates the vulnerability, assesses severity using CVSS v3.1, and determines affected versions. We may request additional information or clarification.

3

Development & Testing (Days 8-60)

We develop, test, and internally review fixes. For critical vulnerabilities, we expedite this process. We keep you updated on progress and may request your assistance in verifying fixes.

4

Release & Notification (Days 61-90)

We release patches to customers with security advisories. We coordinate with you on public disclosure timing and content, including CVE assignment and credit attribution.

5

Public Disclosure (Day 90)

After 90 days, or when an agreed-upon percentage of customers have patched, we publicly disclose the vulnerability with full details, remediation guidance, and researcher credit.

📅 Early Disclosure: We may disclose earlier if the vulnerability is being actively exploited, becomes public knowledge, or if we mutually agree to accelerate the timeline.

Safe Harbor & Legal Protection

We commit to not pursue legal action against security researchers who:

  • Report vulnerabilities in good faith through our disclosure process
  • Make a good faith effort to avoid privacy violations, data destruction, and service disruption
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Keep vulnerability details confidential until we've had a reasonable time to address the issue
  • Do not demand payment or compensation as a condition of disclosure

This safe harbor applies to security research activities conducted in accordance with this policy. If you're uncertain whether your research complies, please contact us before proceeding.

Scope

✓ In Scope

  • s6securitylabs.com and subdomains
  • S6 Spectra (all deployment modes)
  • S6 Trace (SaaS platform)
  • S6 Vantage for Splunk (Core and Pro)
  • Cyber Threat Hunters (iOS app)
  • Public APIs and integrations
  • Customer portals and dashboards

✗ Out of Scope

  • Social engineering of S6 employees
  • Physical attacks on S6 facilities
  • Denial of Service (DoS/DDoS) attacks
  • Third-party services and dependencies
  • Spam or content injection with no security impact
  • Issues affecting outdated/unsupported versions
  • Low-severity issues (e.g., missing security headers without demonstrable impact)

⚠️ Testing Guidelines: Do not test against production systems with real customer data. We can provide test accounts upon request. Any testing that impacts service availability or customer data is prohibited.

Exclusions & Non-Qualifying Issues

The following are generally not considered security vulnerabilities:

  • Clickjacking on pages with no sensitive actions
  • Missing HTTP security headers without demonstrable security impact
  • Presence of application version numbers or server banners
  • Theoretical vulnerabilities without proof of concept
  • Social engineering reports (e.g., open registration, account takeover through credential reuse)
  • Reports from automated tools without analysis or proof of exploitability
  • Issues requiring significant user interaction or unlikely scenarios
  • Best practice violations without security impact

Recognition & Rewards

We value the contributions of security researchers and offer recognition through:

  • Public Credit: With your permission, we'll acknowledge you in our security advisories and hall of fame
  • CVE Co-Author Status: For significant findings, we'll list you as a discoverer in CVE records
  • Swag & Merchandise: S6 Security Labs branded items for valid reports
  • Direct Communication: Opportunity to work directly with our security team

Note: We currently do not offer a bug bounty program. However, we deeply appreciate the time and effort researchers invest in making our products more secure.

Our Vulnerability Disclosure Practice

As an offensive security company, S6 Security Labs also discovers vulnerabilities in third-party products during our research and client engagements. We follow our own coordinated disclosure principles:

Initial Contact (Day 0)

We reserve CVE identifiers and contact affected vendors via multiple channels (email, security contacts, phone).

Detailed Notification (Day 7)

Upon vendor confirmation, we provide full technical details, suggested remediation, and proposed timeline.

Public Disclosure (Day 90+)

We publish advisories with remediation details, proof-of-concept code, and indicators of compromise. Extensions granted for good-faith remediation efforts.

We coordinate with national CERTs (US-CERT, CERT-AU, ENISA) and will not disclose to entities on OFAC sanctions lists.

Contact Information

S6 Security Team

Email: security@s6securitylabs.com

PGP Key: Available at /.well-known/security.txt

For general security questions or non-vulnerability inquiries, see our Security Program.

Policy Updates

This policy may be updated periodically to reflect changes in our disclosure practices or legal requirements. Material changes will be posted prominently on this page. Last updated: December 28, 2025.

← Back to LegalSecurity Program