Vulnerability Disclosure Policy
How to report a suspected vulnerability, what to include, what is in scope, and how we coordinate disclosure.
Working With Security Researchers
Clear reports help us reproduce, prioritize, and fix issues faster. This policy explains the safe-harbor boundaries, disclosure timeline, and evidence we need from researchers.
Reporting a Vulnerability
How to Report
If you discover a security vulnerability in any S6 product, service, or website, please report it to our security team:
For sensitive reports, you may use PGP encryption. Our public key is available at /.well-known/security.txt
What to Include
To help us understand and address the issue quickly, please include:
- Detailed Description: Clear explanation of the vulnerability and its potential impact
- Affected Components: Product name, version number, specific features or endpoints
- Reproduction Steps: Step-by-step instructions to reproduce the vulnerability
- Proof of Concept: Code, screenshots, or video demonstration (if applicable)
- Your Contact Information: Email address and preferred name/alias for acknowledgment
- Suggested Remediation: If you have thoughts on how to fix it (optional but appreciated)
Coordinated Disclosure Timeline
S6 Security Labs follows a 90-day coordinated disclosure timeline designed to balance public safety with time needed to validate, fix, test, and notify affected customers:
Initial Response (within 72 hours)
We acknowledge receipt of your report and begin our initial assessment. You'll receive confirmation that we've received your report and an initial timeline.
Validation & Triage (Days 1-7)
Our security team reproduces and validates the vulnerability, assesses severity using CVSS v3.1, and determines affected versions. We may request additional information or clarification.
Development & Testing (Days 8-60)
We develop, test, and internally review fixes. For critical vulnerabilities, we expedite this process. We keep you updated on progress and may request your assistance in verifying fixes.
Release & Notification (Days 61-90)
We release patches to customers with security advisories. We coordinate with you on public disclosure timing and content, including CVE assignment and credit attribution.
Public Disclosure (Day 90)
After 90 days, or when an agreed-upon percentage of customers have patched, we publicly disclose the vulnerability with full details, remediation guidance, and researcher credit.
📅 Early Disclosure: We may disclose earlier if the vulnerability is being actively exploited, becomes public knowledge, or if we mutually agree to accelerate the timeline.
Safe Harbor & Legal Protection
We commit to not pursue legal action against security researchers who:
- Report vulnerabilities in good faith through our disclosure process
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Keep vulnerability details confidential until we've had a reasonable time to address the issue
- Do not demand payment or compensation as a condition of disclosure
This safe harbor applies to security research activities conducted in accordance with this policy. If you're uncertain whether your research complies, please contact us before proceeding.
Scope
✓ In Scope
- s6securitylabs.com and subdomains
- S6 Spectra (all deployment modes)
- S6 Trace (SaaS platform)
- S6 Vantage for Splunk (Core and Pro)
- Cyber Threat Hunters (iOS app)
- Public APIs and integrations
- Customer portals and dashboards
✗ Out of Scope
- Social engineering of S6 employees
- Physical attacks on S6 facilities
- Denial of Service (DoS/DDoS) attacks
- Third-party services and dependencies
- Spam or content injection with no security impact
- Issues affecting outdated/unsupported versions
- Low-severity issues (e.g., missing security headers without demonstrable impact)
⚠️ Testing Guidelines: Do not test against production systems with real customer data. We can provide test accounts upon request. Any testing that impacts service availability or customer data is prohibited.
Exclusions & Non-Qualifying Issues
The following are generally not considered security vulnerabilities:
- Clickjacking on pages with no sensitive actions
- Missing HTTP security headers without demonstrable security impact
- Presence of application version numbers or server banners
- Theoretical vulnerabilities without proof of concept
- Social engineering reports (e.g., open registration, account takeover through credential reuse)
- Reports from automated tools without analysis or proof of exploitability
- Issues requiring unlikely user interaction or unrealistic scenarios
- Configuration preferences or hardening suggestions without security impact
Recognition & Rewards
We recognize valid reports in the following ways:
- Public Credit: With your permission, we'll acknowledge you in our security advisories and hall of fame
- CVE Credit: Where a CVE is assigned, we'll list you as a discoverer when permitted
- Swag & Merchandise: S6 Security Labs branded items for valid reports
- Direct Communication: Opportunity to work directly with our security team
Note: We currently do not offer a bug bounty program.
Our Vulnerability Disclosure Practice
As an offensive security company, S6 Security Labs also discovers vulnerabilities in third-party products during our research and client engagements. We follow our own coordinated disclosure principles:
Initial Contact (Day 0)
We reserve CVE identifiers and contact affected vendors via multiple channels (email, security contacts, phone).
Detailed Notification (Day 7)
Upon vendor confirmation, we provide technical details, suggested remediation, and a proposed timeline.
Public Disclosure (Day 90+)
We publish advisories with remediation details, proof-of-concept code, and indicators of compromise. Extensions granted for good-faith remediation efforts.
We coordinate with national CERTs (US-CERT, CERT-AU, ENISA) and will not disclose to entities on OFAC sanctions lists.
Contact Information
S6 Security Team
Email: security@s6securitylabs.com
PGP Key: Available at /.well-known/security.txt
For general security questions or non-vulnerability inquiries, see our Security Program.
Policy Updates
This policy may be updated periodically to reflect changes in our disclosure practices or legal requirements. Material changes will be posted prominently on this page. Last updated: December 28, 2025.