If you believe you have found a security vulnerability in any Spacetime product or service, please report it to us at security@spacetimesecurity.ai. We are committed to working with the security community to verify, reproduce, and respond to all legitimate reports.
Our Commitment
Spacetime Security, Inc. takes the security of our products and services seriously. We value the work of security researchers and the broader community in helping us maintain the highest standards of security for our customers.
We are committed to:
- Acknowledging receipt of your report within 3 business days
- Providing an initial assessment of the report within 10 business days
- Keeping you informed of our progress throughout the remediation process
- Notifying you when the reported vulnerability has been resolved
- Treating all reports with confidentiality and not sharing your personal information without your consent
Scope
This policy applies to security vulnerabilities found in:
- Spacetime's production systems and services accessible at spacetimesecurity.ai and its subdomains
- Spacetime's software products and APIs provided to customers
Out of Scope
The following are explicitly out of scope. Testing against these may result in legal action:
- Denial of service (DoS/DDoS) attacks or testing of any kind
- Spam, social engineering, or phishing attacks against Spacetime employees or customers
- Physical security testing
- Testing on systems or infrastructure not owned or operated by Spacetime
- Automated vulnerability scanning without prior written approval
- Vulnerabilities in third-party services or libraries that are not directly exploitable in Spacetime products
Responsible Disclosure Guidelines
We ask that security researchers adhere to the following guidelines when conducting security research and submitting reports:
- Do not access, modify, or delete data that does not belong to you
- Do not disrupt the availability or integrity of our services
- Report vulnerabilities promptly after discovery and do not exploit them beyond what is necessary to demonstrate the issue
- Provide sufficient detail to allow us to reproduce and verify the vulnerability
- Allow reasonable time for remediation before any public disclosure — we request a minimum of 90 days
- Do not share vulnerability details with third parties prior to remediation without our written consent
How to Report
Please submit vulnerability reports by email to:
Include as much of the following information as possible to help us triage your report quickly:
- Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
- Affected URL, endpoint, or component
- Step-by-step instructions to reproduce the issue
- Proof-of-concept code or screenshots, if applicable
- Potential impact and severity assessment
You may encrypt sensitive reports using PGP if required. Please contact us first to coordinate key exchange.
Safe Harbor
Spacetime Security, Inc. will not pursue civil or criminal action against researchers who discover and report security vulnerabilities in good faith and in compliance with this policy. We consider security research conducted in accordance with this policy to constitute authorized access under applicable computer fraud and abuse laws.
If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Contact
For all security-related matters, contact us at security@spacetimesecurity.ai.
This policy is subject to change. The current version is always available at spacetimesecurity.ai/security-vulnerability-disclosure-policy.html and referenced in our security.txt file (RFC 9116).