Legal
Vulnerability Disclosure Policy
SanctiKey, LLC · Document Version: 1.0 · Last Reviewed: July 1, 2026 · Effective Date: July 1, 2026
1. Purpose
SanctiKey welcomes good-faith security research. This policy explains how to report a vulnerability, what systems are in scope, and the protections we extend to researchers acting in good faith. This policy fulfills the responsible-disclosure commitment in Section 8 of the Security Policy.
2. Scope
In scope:
- The SanctiKey marketing website and customer portal
- SanctiKey public API endpoints and the Service’s authentication surfaces
- The Demo Environment (using your own demo account)
Out of scope:
- Denial-of-service, load, or volumetric testing of any kind
- Social engineering, phishing, or physical attacks against SanctiKey or its personnel
- Attacks against other customers’ accounts or data, including any attempt to access data that is not yours
- Third-party services (AWS, Stripe, Google); report those to the vendor
- Automated scanning that degrades Service availability
3. How to Report
Email security@sanctikey.com with:
- A description of the issue and its impact
- Steps to reproduce (proof-of-concept preferred)
- Any relevant logs, request/response captures, or screenshots
We will acknowledge your report within 3 business days, keep you informed of remediation progress, and notify you when the issue is resolved. SanctiKey does not currently operate a paid bounty program; we will credit researchers who request it once a fix is released.
4. Safe Harbor
SanctiKey will not initiate legal action against you, and will not refer you for prosecution, for security research that is:
- Conducted in good faith and within the scope defined in Section 2
- Limited to the minimum access necessary to demonstrate the vulnerability
- Reported promptly to SanctiKey without public disclosure before remediation
- Free of privacy violations, data destruction, and service degradation
If you inadvertently access another user's data, stop immediately, do not retain or share it, and include the details in your report. Research conducted consistently with this policy is considered authorized under applicable anti-hacking laws, including the Computer Fraud and Abuse Act, and SanctiKey waives any claim under the Terms of Service restrictions (including reverse-engineering restrictions) to the extent the research complies with this policy.
5. Disclosure Timeline
We ask that you give us 90 days from acknowledgment before any public disclosure. If remediation requires longer, we will communicate a timeline and coordinate a disclosure date with you.
6. Contact
SanctiKey, LLC
Security: security@sanctikey.com
This Vulnerability Disclosure Policy is effective as of the date listed above and supersedes all prior versions.
