Security & Responsible Disclosure

We take the security of DeployHQ and our customers seriously.

If you believe you've found a security vulnerability, we want to hear about it. This page describes how to report issues, what's in scope, and what to expect from us.

How to report

Email security@deployhq.com with:

  • A clear description of the issue
  • Steps to reproduce, with a proof of concept if possible
  • The impact you believe it has
  • Your name or handle if you'd like credit

We aim to acknowledge reports within 3 business days.

Scope

Anything under deployhq.com and its first-party subdomains, the DeployHQ application, the Deploy Agent, and our public APIs.

Out of scope

The following are explicitly out of scope and will not be eligible for an appreciation reward:

  • SPF / DKIM / DMARC configuration issues
  • Missing security headers (CSP, HSTS, X-Frame-Options) without a demonstrated exploit
  • Missing cookie flags on non-session cookies
  • Clickjacking without a defined security impact
  • Self-XSS or XSS only affecting outdated browsers
  • Open redirects without a higher-impact chain
  • Disclosure of software version numbers
  • Automated scanner output without a working proof of concept
  • Denial of Service attacks
  • Attacks requiring a man-in-the-middle position
  • Use of known-vulnerable libraries without proof of exploitation
  • Rate limiting on non-authentication endpoints
  • User enumeration without further impact
  • Logout CSRF
  • Password complexity policy suggestions
  • Host header injection without a working proof of concept
  • Content spoofing or text injection that can't be leveraged for XSS or sensitive data disclosure
  • Reports that violate our rules of engagement (see below)

We classify submissions using the Bugcrowd Vulnerability Rating Taxonomy. Issues rated P5 (Informational) are generally not eligible for a reward.

Rules of engagement

  • Do not access, modify, or destroy data belonging to other users
  • Do not perform DDoS or volumetric testing
  • Do not use social engineering, phishing, or physical attacks against staff or customers
  • Do not publicly disclose the issue until we've had a reasonable chance to fix it
  • Comply with all applicable laws

If you follow these rules, we won't pursue legal action for good-faith security research.

Rewards

We offer appreciation rewards for valid, in-scope reports. The amount is at our discretion and depends on severity, quality of the report, and impact. We don't publish a fixed bounty table.

Hall of fame

We're grateful to the researchers who have helped keep DeployHQ secure. This section will be updated to recognise their contributions.

Contact

security@deployhq.com