How to report
Email security@deployhq.com with:
- A clear description of the issue
- Steps to reproduce, together with a working proof of concept
- The impact you believe it has, with a self-assessed severity rating using CVSS v3.1 or the Bugcrowd Vulnerability Rating Taxonomy (VRT)
- Your name or handle if you'd like credit
We aim to acknowledge reports within 3 business days. Reports submitted without a working proof of concept will not be accepted.
Scope
Anything under deployhq.com and its first-party subdomains, the DeployHQ application, the Deploy Agent, and our public APIs.
Out of scope
The following are explicitly out of scope and will not be eligible for an appreciation reward:
- SPF / DKIM / DMARC configuration issues
- Missing security headers (CSP, HSTS, X-Frame-Options) without a demonstrated exploit
- Missing cookie flags on non-session cookies
- Clickjacking without a defined security impact
- Self-XSS or XSS only affecting outdated browsers
- Open redirects without a higher-impact chain
- Disclosure of software version numbers
- Automated scanner output without a working proof of concept
- Denial of Service attacks
- Attacks requiring a man-in-the-middle position
- Use of known-vulnerable libraries without proof of exploitation
- Rate limiting on non-authentication endpoints
- User enumeration without further impact
- Logout CSRF
- Password complexity policy suggestions
- Host header injection without a working proof of concept
- Content spoofing or text injection that can't be leveraged for XSS or sensitive data disclosure
- Vulnerabilities in third-party services we rely on (for example Stripe, PayPal, Postal, Mixpanel, Sentry) — please report those directly to the vendor's own disclosure programme. Misconfigurations on our side of the integration (such as leaked keys, permissive CORS, or exposed webhook secrets) remain in scope.
- Reports that appear to be AI-generated, templated, or mass-distributed across multiple programmes without specific, verified findings on our systems
- Reports that violate our rules of engagement (see below)
We classify submissions using the Bugcrowd Vulnerability Rating Taxonomy. Issues rated P5 (Informational) are generally not eligible for a reward.
Rules of engagement
- Use a test account that you create yourself for security research — do not test against real customer accounts or data
- Do not access, modify, or destroy data belonging to other users
- Do not perform DDoS or volumetric testing
- Do not use social engineering, phishing, or physical attacks against staff or customers
- Do not publicly disclose the issue until we've had a reasonable chance to fix it
- Do not resubmit the same finding multiple times — we receive a high volume of reports, and duplicate submissions on the same issue may result in all of them being dismissed
- Comply with all applicable laws
If you follow these rules, we won't pursue legal action for good-faith security research.
Rewards
We offer appreciation rewards for valid, in-scope reports. The amount is at our discretion and depends on severity, quality of the report, and impact. We don't publish a fixed bounty table.
Rewards are issued only after the fix has been deployed and the reporter has confirmed that the issue is resolved. We ask reporters to verify the fix in production before we close the report.
Hall of fame
We're grateful to the researchers who have helped keep DeployHQ secure. This section will be updated to recognise their contributions.