Scope
- In scope. The SecHive website (sechive.ai), the SecHive platform, the published proof-pack format, and the public case-study artifacts.
- Out of scope. Third-party services we link to, customer engagements, and any system not under SecHive's control.
How to report
- Email [email protected] with a clear description, reproduction steps, and impact.
- Encrypt sensitive material with our PGP key (fingerprint published on this page; key request over email).
- Allow up to 90 days before public disclosure.
Safe harbor
Good-faith research within scope and in compliance with this policy will not result in legal action by SecHive. We will not pursue or support a complaint against you for accessing data or systems no further than necessary to demonstrate the issue, provided you do not exfiltrate, modify or destroy data, and you respect privacy and availability.
What we ask
- Do not test against customer engagements or evidence.
- Do not exfiltrate data beyond what is necessary to prove the issue.
- Do not run automated load against production endpoints.
- Do not publicly disclose before we have responded and a fix is in place.
Acknowledgements
With reporter consent, we credit confirmed external reports in a public hall of fame published quarterly.
