Security

Responsible Disclosure

Found something? We treat researchers as partners. Here is how to reach us safely.

We welcome security research and treat the people who report issues to us as partners, not adversaries. This page describes how to report a finding and what you can expect in return.

How to report

Send your report to security@horizonshield.cloud. If the finding is sensitive you can encrypt the report — request our public key in your first message and we will send it back over a verified channel.

A useful report includes:

  • A description of the issue
  • Steps to reproduce, or a proof-of-concept
  • The impact you believe an attacker could achieve
  • Any logs or artifacts that help us understand it

In scope

  • The HorizonShield product surfaces under the horizonshield.cloud apex and its subdomains
  • Authentication, authorization, and data-isolation behavior between organizations
  • Privilege escalation within a single organization

Out of scope

  • Social-engineering attempts against staff, customers, or contractors
  • Findings that require physical access to a device
  • Volumetric denial-of-service traffic
  • Reports based purely on automated scanner output without an exploitable scenario
  • Findings on third-party services that integrate with HorizonShield

Safe harbor

If you act in good faith, follow this policy, avoid privacy violations, do not exfiltrate data beyond what is needed to demonstrate the issue, and give us reasonable time to fix before public disclosure, we will not pursue legal action against you.

What we promise back

  • Acknowledgment of your report on receipt
  • Updates while we investigate
  • Public credit when the fix ships, if you would like it
  • A reward for qualifying findings, sized to the severity and uniqueness of the issue