Vulnerability disclosure
Traceable operates a responsible disclosure programme. We welcome reports from the security research community and are committed to working transparently and cooperatively with researchers who identify vulnerabilities in our platform.
How to Report a Vulnerability
Email: security@traceable.digital
PGP: A PGP public key is available on request for encrypted submission of sensitive vulnerability details.
Please do not report security vulnerabilities through public GitHub issues, support tickets, or social media.
What to Include in Your Report
A high-quality report helps us triage and resolve issues quickly. Please include:
- Description: a clear explanation of the vulnerability and what can be achieved by exploiting it
- Affected endpoint or component: the specific URL, API endpoint, or feature area affected
- Steps to reproduce: a detailed, step-by-step reproduction path — ideally tested against a staging or demo account
- Vulnerability type: OWASP category if known (e.g. OWASP Top 10 — A03: Injection, A07: Identification and Authentication Failures)
- Severity assessment: your assessment of the potential impact (critical / high / medium / low)
- Proof of concept: screenshots, screen recordings, or code snippets that demonstrate the issue without exploiting it beyond what is necessary
- Your contact details: for follow-up discussion and credit
Scope
The following are in scope for vulnerability reports:
| Target | Description |
|---|---|
app.traceable.digital | Production platform — authenticated and public endpoints |
traceable.digital | Marketing website |
dev.traceable.digital | Documentation site |
| APIs | All API endpoints served from the above domains |
Out of scope:
- Social engineering attacks targeting Traceable employees or contractors
- Physical attacks or attacks requiring physical access to infrastructure
- Denial-of-service attacks (including volumetric DDoS)
- Vulnerabilities in third-party services or infrastructure not under Traceable's direct control
- Issues that require the attacker to already have full account access (e.g. self-XSS)
- Theoretical vulnerabilities with no demonstrated practical impact
Rules of Engagement
By participating in this programme, researchers agree to:
- Limit data access: do not access, exfiltrate, modify, or delete customer data beyond the minimum necessary to demonstrate the vulnerability. Use a personal test account.
- No disruption: do not perform actions that degrade platform performance or availability for other users
- No destructive testing: do not use automated scanners at rates that would constitute a denial of service
- No public disclosure: do not publicly disclose the vulnerability until a fix has been deployed and you have received written confirmation from Traceable that disclosure is appropriate
Our Commitments to Researchers
| Commitment | Timeline |
|---|---|
| Acknowledge receipt of the report | Within 2 business days |
| Provide an initial assessment and triage decision | Within 5 business days |
| Communicate a resolution timeline | Within 10 business days |
| Deploy a fix (for confirmed high/critical issues) | As soon as practicable — critical issues are prioritised above all other work |
| Credit the reporter | In release notes and, if desired, in this documentation — with the reporter's consent |
| Legal protection | We will not pursue legal action against researchers who comply with these rules and act in good faith |
Safe Harbour
Traceable supports responsible security research. Researchers acting in good faith and in compliance with the rules of engagement above will not face legal action from Traceable for their research activities. We consider good-faith research to exclude: intentional access to customer data beyond a personal test account, any action that disrupts the platform for other users, or public disclosure before a fix is deployed.
This safe harbour applies to Traceable's own legal position and does not bind third parties.
To report a vulnerability: security@traceable.digital
Last reviewed: April 2026.