decorative

Vulnerability Disclosure

At Insites, security is a core part of how we build and operate our products. We believe that collaboration with the security community helps us identify issues faster, protect our customers more effectively, and continuously improve our platform. This policy explains how to report security vulnerabilities responsibly, what researchers can expect from us, and the principles that guide our coordinated disclosure process.

decorative

4 months

Overview


Insites is committed to maintaining the security, integrity, and availability of our systems and protecting customer data. We welcome responsible security research and encourage coordinated vulnerability disclosure that helps us improve our products safely.


This Vulnerability Disclosure Policy outlines how security researchers can report potential vulnerabilities, what systems are in scope, and how Insites will respond.


Our goal is to create a transparent, collaborative process that protects customers while supporting ethical security research.



Authorisation & Safe Harbour


We consider security research conducted in accordance with this policy to be authorised. Insites will not pursue legal action against individuals who:


  • Act in good faith to identify security vulnerabilities
  • Follow the guidelines and scope defined in this policy
  • Avoid privacy violations, data destruction, or service disruption
  • Only access data strictly necessary to demonstrate a vulnerability
  • Promptly report findings through the approved disclosure channel


If legal action is initiated by a third party against a researcher who complied with this policy, Insites will make it known that the research was conducted in accordance with this program.



Scope


The following assets are generally considered in scope unless otherwise specified:


  • Public-facing web applications operated by Insites
  • Domains owned and controlled by insites.com
  • Public APIs and documented endpoints
  • Customer-facing dashboards and services
  • Authentication and authorization mechanisms


The following activities are not permitted under this policy:

  • Social engineering or phishing targeting employees, contractors, or customers
  • Physical security testing
  • Denial-of-service (DoS/DDoS) attacks or stress testing
  • Automated scanning that generates excessive traffic or degrades performance
  • Testing against third-party services not owned or operated by Insites
  • Accessing, modifying, or exfiltrating other users’ data beyond what is strictly necessary for proof-of-concept


If you are unsure whether a target is in scope, please contact us before testing.



How to Report a Vulnerability


Please report vulnerabilities by emailing: security@insites.com


Include as much detail as possible:

  • Clear description of the issue
  • Steps to reproduce
  • Proof-of-concept code, screenshots, or logs (if available)
  • Impact assessment and potential attack scenarios
  • Affected URLs, APIs, or components


We request that researchers avoid public disclosure until remediation is complete or a coordinated disclosure timeline has been agreed.



Our Commitments


When you submit a report, Insites commits to:

  • Acknowledge receipt within 72 hours
  • Perform an initial triage and validation
  • Communicate clearly regarding severity and next steps
  • Provide periodic updates where appropriate
  • Work to remediate confirmed vulnerabilities within reasonable timeframes based on severity and risk


Typical remediation targets (non-binding):

  • Critical vulnerabilities: expedited remediation
  • High severity: prioritized fix cycle
  • Medium/Low severity: scheduled remediation based on risk and roadmap


Coordinated Disclosure


We support coordinated disclosure. Once a vulnerability has been resolved, we are open to discussing public disclosure timelines with researchers. Our default expectation is that vulnerabilities remain confidential until remediation is complete and users are protected.



Recognition & Rewards


Insites does not currently operate a public bug bounty program with guaranteed payments. However, we may offer discretionary recognition or rewards for impactful findings at our sole discretion.



Responsible Testing Guidelines


To help us maintain service stability and protect users, please:

  • Avoid actions that negatively impact service availability or performance
  • Do not access or retain sensitive customer data unnecessarily
  • Immediately stop testing and notify us if you encounter sensitive data unintentionally
  • Use test accounts where possible
  • Do not attempt lateral movement beyond proof-of-concept



Legal Terms


By participating in this program, you agree to:

  • Comply with all applicable laws and regulations
  • Avoid exploiting vulnerabilities for financial gain or malicious purposes
  • Provide accurate and sufficient detail to enable remediation



Updates to This Policy


We may update this policy periodically to reflect changes in our security practices. Please refer to this page for the latest version.



Contact


Security Team - security@insites.com