Found something?
Tell us privately.
How to report a vulnerability in Visual Sentinel, what is in scope, our safe-harbor commitment, and what you can expect from us in return.
Visual Sentinel is a production website-monitoring platform that customers trust with access to their sites, alerting, and operational data. We take that trust seriously, and we are grateful to the security researchers who help us keep it safe. This page explains how to report a vulnerability and what we commit to in return.
Reporting a vulnerability
Please report security issues privately by email, and do not disclose them publicly until we have had a chance to investigate and ship a fix.
- Email: security@visualsentinel.com
- Machine-readable contact: /.well-known/security.txt (RFC 9116)
If you would like to encrypt your report, request our PGP key at the address above and we will provide it before you send any sensitive details.
What to include
A good report helps us validate and fix the issue faster. Where possible, include:
- A clear description of the vulnerability and its security impact.
- The affected component or URL (for example, the dashboard, the public API, or a status page).
- Step-by-step instructions to reproduce, plus a minimal proof-of-concept.
- Any relevant logs, requests and responses, screenshots, or a short video.
- Your assessment of severity, and whether the issue is actively exploitable.
If you found it through automated tooling, please confirm the finding manually and include a working proof-of-concept rather than raw scanner output.
What we commit to
When you report a valid issue, we will:
- Acknowledge your report within 2 business days.
- Validate it and assign a severity within 5 business days.
- Send you progress updates at least every 7 days while it is open.
- Remediate on a timeline driven by severity (critical issues in days, high in roughly two weeks, medium and low in the next regular release cycle).
- Let you know when the fix is live.
Supported versions
Visual Sentinel is a continuously-deployed service, not a versioned downloadable product. The live service always runs the latest release, and that is the version we support and patch. Security fixes are rolled out directly to the live service.
Scope
In scope
- The web application and dashboard, the public REST API and API-key authentication, public customer status pages and embeds.
- The monitoring, alerting, and notification pipeline insofar as it affects the confidentiality, integrity, or availability of customer accounts and data.
- Authentication, authorization, tenant isolation (one organization accessing another organization's data), billing, and account-takeover paths.
Out of scope
- Websites we monitor on behalf of customers.Visual Sentinel checks third-party sites that customers configure. A vulnerability in one of those sites is not a Visual Sentinel vulnerability. Only report it to us if our platform's handling of that target is itself the problem (for example, an SSRF that reaches our infrastructure).
- Findings that require a compromised customer device, a malicious browser extension, or a man-in-the-middle on the victim's own network.
- Denial-of-service, volumetric, or resource-exhaustion testing against production. Please describe the theoretical issue instead of demonstrating it at scale.
- Social engineering of our staff or customers, physical attacks, and attacks on our third-party providers.
- Best-practice or informational findings with no demonstrated security impact (see non-qualifying issues below).
Safe harbor
We will not pursue or support legal action against researchers who, in good faith, discover and report a vulnerability under this policy, provided you:
- Make a genuine effort to avoid privacy violations, data destruction, and service degradation.
- Only interact with accounts you own or have explicit permission to test, and do not access, modify, or retain other users' data.
- Stop immediately and contact us if you encounter customer data, secrets, or any sensitive information, and do not save copies.
- Give us a reasonable opportunity to remediate before any disclosure.
If you are unsure whether a specific test is acceptable, ask us first at the contact address above.
Coordinated disclosure
We practice coordinated disclosure. Please give us a reasonable window (typically up to 90 days, or sooner once a fix is live) before disclosing publicly, and coordinate timing with us so we can protect customers during the window. If a fix is taking longer, we will keep you updated and agree on a date together.
Recognition
With your permission, we are happy to publicly credit you for valid, responsibly disclosed reports. Let us know how you would like to be acknowledged, or tell us if you prefer to remain anonymous. We do not currently run a paid bug-bounty program; reports are handled on a goodwill, recognition basis.
Non-qualifying issues
The following generally do not qualify on their own, unless you can chain them into a concrete, demonstrable security impact:
- Missing security headers or cookie-flag nitpicks without a working exploit.
- Clickjacking on pages with no sensitive state-changing actions, or self-XSS.
- Reports from automated scanners with no validated proof-of-concept.
- Missing rate limiting on non-sensitive endpoints, verbose version banners, or software-version disclosure with no known associated vulnerability.
- Email spoofing or SPF, DKIM, and DMARC opinions, TLS configuration grades, or best-practice recommendations with no concrete impact.
Contact
Security: security@visualsentinel.com
Thank you for helping keep Visual Sentinel and its customers safe.