← Back

Security & Vulnerability Disclosure

We take the security of Intercept seriously. If you believe you have found a vulnerability, please report it to us responsibly.

Scope

The following are in scope for our vulnerability disclosure programme:

  • intercept.hijacksecurity.com — production web application
  • intercept.test.hijacksecurity.com — test environment
  • Public APIs hosted under the above domains
  • The Intercept Posture Agent (PyPI package intercept-posture-agent)
  • Open-source components published by Hijack Security on GitHub

Out of scope: third-party services we depend on (report to them directly), social engineering, physical attacks, denial-of-service, and findings that require privileged access already granted to your tenant.

Safe Harbor

Hijack Security supports good-faith security research. If you make a good-faith effort to comply with this policy during your research, we will:

  • Not pursue or support any legal action against you for your research
  • Consider your activity authorised under the Computer Fraud and Abuse Act and similar laws, and waive any restrictions in our Terms of Service that would interfere with security research conducted in line with this policy
  • Work with you to understand and resolve the issue quickly

Good faith means: do not access, modify, or destroy data that does not belong to you; do not degrade service availability; stop and report immediately if you encounter sensitive data; and give us reasonable time to resolve the issue before public disclosure.

How to Report

Send vulnerability reports to security@hijacksecurity.com. Please include:

  • A clear description of the issue and its impact
  • Step-by-step reproduction instructions or a proof-of-concept
  • The affected URL, endpoint, or component
  • Your name or handle (if you wish to be credited)

Please do not open public GitHub issues, social media posts, or support tickets for security reports.

Response SLA

  • Acknowledgement: we acknowledge new reports within 2 business days.
  • Triage: we provide an initial severity assessment within 5 business days.
  • Resolution target:Critical — 7 days, High — 30 days, Medium — 90 days. Lower severities are addressed on our roadmap.
  • Disclosure: we coordinate public disclosure with the reporter once a fix is available.

Hall of Fame

We are grateful to the researchers who have responsibly reported issues to us. As the programme matures we will publish acknowledgements here, with the reporter's consent.

No public acknowledgements yet. Be the first — we credit researchers who prefer to be named.

Contact

Security reports: security@hijacksecurity.com.