Trust Center / Responsible disclosure
Responsible disclosure
IlluminateRisk welcomes good-faith security research. If you've found a vulnerability, this page is how to report it, what we'll do, and what we promise in return.
Downloaded from https://illuminaterisk.ai/trust/responsible-disclosure.
How to report
Email support@illuminaterisk.ai with the following:
- A concise description of the issue and the impact you believe it has.
- Steps to reproduce — proof-of-concept payload, request / response examples, screenshots.
- The affected URL, endpoint, or screen, and the build / release identifier if you can see one.
- Any constraints (preconditions, account types, browser).
- Your preferred name (or pseudonym) for any acknowledgement, and whether we may credit you publicly when the fix ships.
If the finding is sensitive enough that email plaintext isn't appropriate, ask in your first message and we'll arrange an encrypted channel.
What we'll do
- Acknowledge receipt within three (3) business days.
- Triage the finding and assign a severity (Critical / High / Medium / Low / Informational).
- Communicate on a defined cadence — weekly for Critical/High, biweekly for Medium, monthly for Low — until the finding is closed.
- Remediate within the target window for the severity (below).
- Notify the reporter when the fix is deployed; coordinate any public disclosure.
| Severity | Target resolution |
|---|---|
| Critical (immediate data exposure / RCE) | Mitigation within 48 hours; permanent fix within 7 days. |
| High (privilege escalation / auth bypass) | Within 14 days. |
| Medium (information disclosure with low blast radius) | Within 30 days. |
| Low / Informational | Next maintenance window or roadmap cycle. |
In scope
- The Platform application at
*.illuminaterisk.aitenant subdomains. - The Portal at
illuminaterisk.aiand its endpoints under/admin/*,/oauth/*, and/portal/*. - The marketing site at
illuminaterisk.aiand the Trust Center under/trust/*. - The authentication and authorization layer common to both apps.
- Public webhook endpoints (Stripe, SES/SNS).
- Open-source components we ship as part of the product, where the vulnerability is exploitable in our deployment.
Out of scope
- Findings that require physical access to a customer's device.
- Reports relying on social engineering of IlluminateRisk staff or customers.
- Denial-of-service attacks, traffic floods, or load-based proofs.
- Automated-scanner output without a specific demonstrable impact.
- Reports about email-header configuration (SPF / DKIM / DMARC) where the configuration matches current best practice but doesn't fully match a tool's preferred pattern.
- Missing security headers on assets that don't materially affect the security posture (e.g., the marketing static site).
- Third-party services we use (AWS, Stripe, Cloudflare, etc.) — report those to the upstream provider.
- Subdomain takeovers on domains we don't operate.
- "Best practice" recommendations without an exploitable finding.
Safe harbor
Good-faith security research is welcome and will not be pursued. If you:
- Comply with this policy and any specific instructions we provide in response to your report,
- Make a good-faith effort to avoid privacy violations, data destruction, and service interruption,
- Do not exfiltrate, store, retain, or share customer data beyond the minimum needed to demonstrate the finding,
- Give us a reasonable window to remediate before any public disclosure,
… then IlluminateRisk will not pursue legal action against you for your research, will treat your activity as authorized testing under the Computer Fraud and Abuse Act and similar laws, and will request that any third party we engage with (counsel, law enforcement) honors the same position.
What we ask
- Don't access more data than is necessary to demonstrate the finding.
- Don't pivot from a finding to read customer documents, run queries on production data, or test other customers' tenants.
- Don't publicly disclose the finding before we've shipped the fix and agreed on a disclosure date.
- Test against your own account, the documentation site, or accounts we provide for research. If you don't have one, ask.
Recognition
We're a small team without a paid bug-bounty program yet. We do, however, maintain a "Researchers we owe" list on this page once we have a fix to tell the story about, and we ship a thank-you note (and a hat) for every validated report. If a researcher's contribution warrants more than that, we'll work out something reasonable — get in touch.
Contact
support@illuminaterisk.ai — the single team mailbox for all IlluminateRisk inquiries. Please tag the subject line with [SECURITY] so the first responder routes your report into the triage queue.