Platform
Explore
CapabilitiesPricingDownload
LoginCreate your space

Legal

Acceptable Use Policy (AUP)AcknowledgementsAI Security & Privacy OverviewAudit Logging OverviewBusiness Associate Agreement (BAA)CCPA / LGPD / Privacy Frameworks StatementCookies PolicyData Deletion & Retention PolicyData Processing Addendum (DPA)EU-U.S. Data Privacy Framework StatementFSL LicenseGDPR Compliance StatementHIPAA ReadinessLegal HoldsPen-testing & Vulnerability ManagementPivot Platform LicensePrivacy PolicySIEM & DLP IntegrationsSub-processor ListTerms and Conditions of SaleTerms of ServiceUptime & TransparencyVulnerability Disclosure Policy
Back to legal

Nov 13, 2025

Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Table of Contents

ScopeRules of EngagementWhat You Can Expect (SLA)Safe Harbor (Good‑Faith Research)Contact

We welcome responsible security research. This page explains how to report vulnerabilities to Pivot and what you can expect from us. This is not a bug bounty; we do not offer monetary rewards at this time.

Scope

In scope (examples):

  • Production domains and services operated by Pivot: pivot.app,, pivotstatus.com, and official Pivot mobile/desktop apps.
  • Customer-facing features, authentication flows (SSO/SAML where available), authorization/RBAC, data access controls, audit logging, and API endpoints.

Out of scope (examples):

  • Denial of Service (DoS/DDoS), volumetric or resource‑exhaustion attacks.
  • Social engineering or phishing of Pivot employees or customers.
  • Physical security attacks, stolen devices, or third‑party facilities.
  • Spam, open redirects without demonstrable impact, brute‑force rate‑limit tests.
  • Clickjacking on non‑sensitive pages, username/email enumeration without impact.
  • Vulnerabilities in third‑party services not operated by Pivot (report those to the vendor).

If you’re unsure whether something is in scope, ask us at [email protected].

Rules of Engagement

Please:

  • Use only accounts you own (or explicit test accounts we provide).
  • Do not access, modify, or exfiltrate data that does not belong to you. If you encounter other users’ data, stop testing and report immediately.
  • Avoid impacting availability (no stress tests or traffic floods).
  • Do not introduce malware or backdoors.
  • Respect privacy and confidentiality.

How to Report

Email [email protected] or submit the form at Help and Support. Include:

  • A clear description of the issue and impact.
  • Asset/URL, affected product area, and environment.
  • Steps to reproduce and a minimal Proof of Concept.
  • Screenshots, logs, or a short video if helpful.
  • Your contact information and preferred public credit (optional).

To encrypt sensitive details, use our PGP key (below).

What You Can Expect (SLA)

  • Acknowledgment: within 72 hours of receipt.
  • Initial triage: priority assessment within 5 business days.
  • Status updates: at least every 2 weeks until resolution.
  • Remediation timeline: we aim to remediate high/critical issues as quickly as practicable; we generally follow a 90‑day coordinated disclosure window (or sooner where risk warrants).

If we disagree on severity/timeline, we’ll explain our reasoning and work with you in good faith.

Safe Harbor (Good‑Faith Research)

We will not pursue or recommend legal action against researchers who:

  • Engage in testing only within this policy’s scope and rules.
  • Make a good‑faith effort to avoid privacy violations, service degradation, or data destruction.
  • Report issues promptly and do not disclose them publicly without our agreement.

This policy is intended to align with common good‑faith security research principles (including avoiding actions that would violate applicable laws such as CFAA/DMCA). If in doubt, contact us first.

Contact