CustomerNode

Theme: Light

Vulnerability Disclosure Program

CustomerNode welcomes good-faith security research. This page describes how to report a vulnerability, what is in scope, what we ask researchers to avoid, and how we will respond.

REPORT A VULNERABILITY

Email [email protected] with subject line beginning “Security:”. We acknowledge reports within 2 business days and aim to triage within 5 business days.

Scope

The following CustomerNode-operated systems are in scope:

  • customernode.com and its subdomains operated by CustomerNode
  • The CustomerNode web application (authenticated and unauthenticated surfaces)
  • Public APIs documented in the application

Out of scope

The following are not in scope and should not be tested:

  • Third-party services and subprocessors (see Subprocessors) — report directly to that vendor.
  • Social engineering of CustomerNode employees, customers, or vendors.
  • Physical attacks against CustomerNode offices, personnel, or infrastructure.
  • Denial-of-service, volumetric, brute-force, or load-testing attacks.
  • Automated scanning that generates significant traffic against production endpoints.
  • Findings derived solely from missing best-practice headers with no demonstrable impact (e.g. missing X-Frame-Options on a page that cannot be framed meaningfully, cookie flag suggestions on non-sensitive cookies, SPF/DMARC/DKIM tuning).
  • Reports generated by automated tools without manual validation.
  • Issues in software CustomerNode does not operate (browser bugs, OS bugs, etc.).
  • Self-XSS, tab-nabbing, clickjacking on pages with no sensitive state-changing actions.

Rules of engagement

When testing, researchers must:

  • Use only test accounts you create yourself. Do not access, modify, or destroy data belonging to other users or tenants.
  • Stop immediately and report if you encounter another user’s data, credentials, or PII.
  • Avoid privacy violations, service degradation, and data destruction.
  • Avoid automated scanners that generate high traffic volume. If you need to scan, contact us first.
  • Make a good-faith effort to avoid impact to availability and integrity of the service for other customers.
  • Provide enough detail for us to reproduce the issue: steps, payload, affected URL, account context, timestamps.
  • Give us a reasonable opportunity to remediate before disclosing publicly (see Coordinated disclosure below).

Safe harbor

If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized. Specifically, we will:

  • Not pursue or support any legal action against you in connection with that research.
  • Work with you to understand and resolve the issue quickly.
  • Recognize your contribution publicly with your permission (see Recognition).

Safe harbor applies only to research conducted in accordance with this policy. It does not apply to research that violates the out-of-scope or rules of engagement sections above, that affects users or tenants other than yourself, or that breaks applicable law independent of this policy. If your research is unclear, contact us before testing — we’d rather scope it together than deal with it after the fact.

Our response process

  • Acknowledgment within 2 business days of receipt.
  • Initial triage within 5 business days — we will tell you whether the report is in scope, our preliminary severity assessment, and expected next steps.
  • Periodic status updates while the issue remains open.
  • Remediation timelines are driven by severity:
    • Critical: emergency remediation path with accelerated response and deployment timelines.
    • High: prioritized into the next release cycle.
    • Medium / Low: addressed within standard release cycles.
  • Resolution notification when the issue is fixed in production.

Coordinated disclosure

We ask researchers to keep findings confidential until we have remediated the issue or have agreed on a disclosure window. Our default coordinated-disclosure window is 90 days from acknowledgment, which we may extend by mutual agreement if remediation requires coordination with subprocessors or customers. We will not request indefinite non-disclosure.

Recognition

CustomerNode does not currently operate a paid bug bounty. We will, with your permission, publicly thank researchers who report valid, in-scope vulnerabilities through this program. Recognition criteria: the report was original, in-scope, validated by us, and reported in accordance with this policy.

Customer-driven security testing

Customers wishing to perform a security test against their own tenant must obtain prior written approval, as described in the Audit Policy. Approved tests are scoped to the requesting tenant and bounded in volume so they do not impact other customers. Unapproved scans against shared production endpoints may be treated as abusive traffic and blocked.

Confidentiality

Reports submitted under this program are treated as confidential. We will not share your identity or the contents of your report outside the personnel needed to remediate the issue without your consent, except where compelled by law.

Contact

Email: [email protected]
Subject line: begin with Security: so the report is routed correctly.
Encryption: if you need to send sensitive details encrypted, request our PGP key in the initial message and we will provide it before you transmit details.

First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.