Vulnerability Disclosure

In scope. The marketing site at hubzoid.com and any subdomains operated directly by Hubzoid. Hubzoid software components delivered into a customer deployment.

Out of scope. Customer-deployed hubs (these belong to the customer; please report to that customer's security contact). Issues in third-party services (please report directly to the third party).

Email security@hubzoid.com with a clear description of the issue, steps to reproduce, and any proof-of-concept. PGP-encrypted reports are accepted; ask for the public key if you want to use one.

Please do not publicly disclose an issue before we have had a reasonable opportunity to fix it.

Hubzoid will not pursue legal action against good-faith security research that complies with this policy and applicable law. Good faith means: avoid privacy violations, data destruction, and service disruption; do not access more data than necessary to demonstrate the issue; report promptly.

Acknowledgment within five business days of receipt.

Triage and severity assessment within ten business days.

Target fix within thirty days for critical issues; less critical issues are scheduled into the regular release cycle.

We do not currently run a paid bug bounty.

With your permission, we are happy to credit you in our acknowledgments page when an issue is fixed.