Skip to content

Vulnerability Disclosure Policy

Statement

ClaimGuard welcomes good-faith security research. If you believe you have found a security vulnerability in ClaimGuard, please report it to us using the channel below. We commit to responding promptly, working with you on remediation, and not pursuing legal action against researchers acting in accordance with this policy.

This policy is not a bug bounty program — we do not currently offer monetary rewards. We do offer public acknowledgement (with your consent) once a reported issue is fixed.

How to report

Email: security@dtectvision.ai

Please include:

  • A description of the vulnerability and its impact.
  • Steps to reproduce, ideally with a proof-of-concept.
  • The affected component (URL, API endpoint, or repo path).
  • Your contact details and how you'd like to be acknowledged (or not).

You may encrypt sensitive contents using a PGP key on request. Reply to your initial mail and we'll send you the current key fingerprint.

What we commit to

  • Acknowledgement of your report within 3 business days.
  • An initial assessment (severity, scope, planned remediation timing) within 10 business days.
  • Status updates at least every two weeks while remediation is in flight.
  • Public credit (with your consent) on this page and in release notes when the fix ships.
  • Safe harbor: if you act in good faith and within the scope below, we will not pursue legal action and will work with any third party to withdraw any takedown or disclosure complaint that reaches us.

In scope

  • The ClaimGuard production application and its public APIs.
  • The claim-guard-app-1 host and its internet-exposed surface.
  • Authentication, authorization, session, and data-handling flows.
  • Outbound integrations the application initiates against attacker-controlled inputs (SSRF, request smuggling, blind redirects, etc.).
  • The trust portal at trust.dtectvision.ai itself.

Out of scope

  • Findings against systems we do not operate (e.g., upstream SaaS we integrate with — please report to those vendors directly).
  • Volumetric, denial-of-service, or rate-based attacks. Please don't.
  • Social engineering of ClaimGuard staff, customers, or vendors.
  • Physical attacks on infrastructure.
  • Findings that require malware, rooted devices, or compromised credentials supplied by the user.
  • Issues in third-party libraries that have no demonstrated exploitability against ClaimGuard's deployment.
  • Reports based solely on automated scanner output without reproduction-validated impact.
  • Missing security headers, CSP nuances, or cookie-flag combinations on endpoints that don't return sensitive data.
  • Self-XSS that requires the user to paste arbitrary content into their own browser console.

Researcher rules of engagement

When testing in scope, please:

  • Don't access, modify, or destroy data that doesn't belong to you. If you accidentally do, stop, report it, and we'll cooperate on containment.
  • Stay within the scope above. If you find something out of scope but alarming, email us anyway — we'll route it.
  • Don't publish or share your findings until we've agreed on a disclosure timeline. Default: 90 days from initial report or remediation, whichever is sooner.
  • Use test accounts where possible. If you need test infrastructure beyond what's publicly reachable, ask.

Hall of fame

Researchers acknowledged for valid reports will be listed here once the program receives its first external submission.

Status

implemented — verified 2026-04-29.

This policy is the active disclosure channel for ClaimGuard. The security@dtectvision.ai mailbox is monitored on business days; reports are triaged within the SLA above.

Roadmap

  • PGP key publication on this page once the disclosure mailbox has handled its first external report and stabilizes on a key rotation cadence.
  • Bug bounty consideration is an explicit non-goal until SOC 2 Type I is complete; this VDP is the SOC-2-friendly substitute.
  • /.well-known/security.txt at the application root pointing at this page (planned alongside A1.3 LB cutover).