Security disclosure.
How to report a vulnerability and what you can expect from us. Plain language, written for humans first and lawyers second.
Reporting
Email security@1defender.com. Plaintext is acceptable today; once a PGP key is rotated into production we'll publish it at /.well-known/security.txt. Please include reproduction steps, affected URLs or endpoints, and the impact you observed.
Our commitments
- Acknowledgement within 24 hours. A human at 1Defender Inc. will reply confirming we have your report — even outside business hours.
- 90-day disclosure window. We will work to remediate confirmed issues within 90 days of receipt and coordinate a public disclosure timeline with you. Extensions for complex fixes are negotiated, not unilateral.
- Credit in our acknowledgments page. If you'd like, we'll list you on /security-acknowledgments. Anonymity is fine too — just tell us.
Safe harbour
We will not pursue legal action against researchers acting in good faith under this policy. "Good faith" means: you make a reasonable effort to avoid privacy violations, data destruction, and service degradation; you give us a reasonable window to remediate before publishing; and you do not exfiltrate, retain, or share user data beyond what's strictly necessary to demonstrate the issue.
Out of scope
- Denial-of-service, volumetric, or resource-exhaustion testing.
- Social engineering of staff, contractors, or customers.
- Physical attacks against our offices, hosting providers, or staff.
- Anything that places customer data at risk — destructive testing, mass account enumeration, exfiltration of real user records.
- Reports based solely on missing best-practice headers when no exploitable issue is demonstrated.