Vulnerability Disclosure Program

Help us keep IncidentFox secure

Introduction

IncidentFox takes security seriously. We welcome responsible disclosure of security vulnerabilities from the security research community and appreciate your efforts to help us maintain a secure product.

If you believe you've found a security issue in our service, please report it to us as described below. We'll work with you to understand and resolve the issue promptly.

Scope

This vulnerability disclosure program covers:

  • incidentfox.ai website: The main marketing site and public pages
  • slack.incidentfox.ai: Slack OAuth endpoints and bot integration
  • IncidentFox Slack application: The Slack bot and its functionality
  • Related APIs and infrastructure: Backend services supporting the application

Out of Scope

  • Social engineering attacks against IncidentFox employees or customers
  • Physical attacks against IncidentFox infrastructure or offices
  • Denial of service (DoS) or distributed denial of service (DDoS) attacks
  • Vulnerabilities in third-party services (Slack, Anthropic, AWS)

How to Report

To report a security vulnerability, email us at:

security@incidentfox.ai

Please include the following information in your report:

  • Description of the vulnerability: What is the issue and how does it affect the system?
  • Steps to reproduce: Clear, step-by-step instructions to recreate the issue
  • Potential impact: What could an attacker accomplish with this vulnerability?
  • Your contact information (optional): So we can follow up with questions or updates

What to Expect

After you submit a report, here's what you can expect:

  • Acknowledgment within 48 hours:

    We'll confirm receipt of your report and may ask clarifying questions.

  • Status update within 7 days:

    We'll provide an initial assessment and expected timeline for resolution.

  • No legal action against good-faith reporters:

    We will not pursue legal action if you follow responsible disclosure practices.

  • Credit in our security acknowledgments (if desired):

    We're happy to publicly acknowledge your contribution, or you can remain anonymous.

Safe Harbor

We will not pursue legal action against security researchers who:

  • Act in good faith: Make a reasonable effort to avoid privacy violations, data destruction, or service disruption
  • Avoid privacy violations: Do not access, modify, or delete other users' data
  • Do not disrupt our service: Avoid DoS attacks or actions that degrade service availability
  • Report findings promptly and confidentially: Give us a reasonable time to fix the issue before public disclosure

This safe harbor applies to security research activities conducted under this program.

Responsible Disclosure Guidelines

To ensure responsible disclosure:

  • Please give us at least 90 days to investigate and fix the issue before public disclosure
  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue
  • Only test against accounts you own or have explicit permission to test
  • Keep details of the vulnerability confidential until we've had time to address it

Security Acknowledgments

We appreciate the security researchers who have helped us keep IncidentFox secure. As we receive and resolve vulnerability reports, we'll acknowledge contributors here (with their permission).

No security issues have been reported yet. Be the first to help us improve our security!

Questions?

If you have questions about our vulnerability disclosure program:

security@incidentfox.ai