Sign In
Book a Demo

Vulnerability Disclosure Policy

Last updated: March 2025

Scope

This policy applies to all vulnerabilities identified by external researchers, security professionals, or any third-party entities concerning Pipe17’s systems, software, applications, or services.

Purpose

To define clear guidelines and procedures for responsibly reporting security vulnerabilities to Pipe17, ensuring timely acknowledgment, assessment, and remediation of vulnerabilities, thereby maintaining the security and integrity of Pipe17 services.

Reporting Procedure

  • Vulnerabilities should be reported via email to security@pipe17.com.
  • Reports should include detailed information necessary to replicate and validate the vulnerability, including:
    • Vulnerability description
    • Steps to reproduce
    • Potential impact
    • Proof-of-concept (if applicable)

Acknowledgment Timeline

  • Pipe17 commits to acknowledging receipt of vulnerability reports within 24 hours.
  • Initial acknowledgment will include confirmation of report receipt and initial steps taken to investigate.

Remediation Timelines

Upon verification, vulnerabilities will be categorized based on severity, with remediation targets as follows:

Severity Level

Remediation Timeline

CriticalWithin 7 days
HighWithin 14 days
MediumWithin 30 days
LowWithin 60 days

Responsible Disclosure Guidelines

  • Researchers are expected to follow responsible disclosure practices, including:
    • Providing Pipe17 reasonable time to investigate and remediate before public disclosure.
    • Avoiding any action that could compromise Pipe17’s systems, data, or user experience.
  • Public disclosure or sharing of vulnerabilities without Pipe17’s explicit consent is strictly prohibited until the vulnerability is resolved.

Communication

  • Pipe17 will communicate clearly and promptly with the reporting party throughout the investigation and remediation process.
  • Once the vulnerability is resolved, Pipe17 may, at its discretion and with permission, publicly acknowledge the reporting party.

Exceptions

Any exceptions to the stated timelines or procedures must be explicitly approved by the Pipe17 CTO or VP of Engineering.

Review

This policy will be reviewed and updated annually, or more frequently if necessary, to ensure alignment with evolving security practices and standards.