Vulnerability Disclosure Policy

Security at SteepDesk

SteepDesk takes the security of its platform and its customers' data seriously. This page describes how to report a vulnerability, what to expect from us in return, and our safe-harbor commitments.

Reporting a Vulnerability

Please do not open a public GitHub issue for security reports.

Report suspected vulnerabilities to:

Email: security@steepdesk.com
Machine-readable disclosure policy: /.well-known/security.txt

Please include:

A clear description of the issue
Steps to reproduce (proof-of-concept code or HTTP requests where applicable)
Affected component(s) and version(s)
Any known impact (data exposure, privilege escalation, etc.)
Your name or handle if you would like to be credited

What to Expect

Stage	Target
Acknowledgement of receipt	Within 2 business days
Initial triage and severity assessment	Within 5 business days
Status updates during investigation	At least weekly
Resolution or mitigation for Critical / High findings	Within 30 days where feasible

We follow coordinated disclosure: we ask that you give us a reasonable window to remediate before any public disclosure. We will credit reporters who request it once a fix has shipped.

Safe Harbor

We will not pursue legal action against researchers who:

Make a good-faith effort to avoid privacy violations, service disruption, and data destruction
Only access data necessary to demonstrate the vulnerability
Do not exfiltrate, modify, or destroy customer data
Give us a reasonable opportunity to remediate before public disclosure
Do not violate any other applicable law

Supported Versions

SteepDesk is a continuously deployed SaaS product. The hosted production version at steepdesk.com is the only supported version and always receives security updates immediately.

Version	Supported
Hosted production (latest)	Yes
Tagged releases (v0.x.y)	No — reference points only; self-hosting is not supported
main branch	Pre-release; not for production use

← Back to SteepDesk