Report Security Vulnerabilities
If you discover a security vulnerability in ISMS Copilot, we want to hear from you. This article explains what qualifies as a security issue, how to report it responsibly, and what to expect during our resolution process.
Do not publicly disclose vulnerabilities before we've had a chance to investigate and fix them. Public disclosure puts all ISMS Copilot users at risk.
What qualifies as a security vulnerability
Report issues that could compromise:
Data confidentiality: Unauthorized access to user data, workspaces, conversations, or uploaded documents
Authentication and access control: Bypassing login, session hijacking, privilege escalation, or accessing other users' accounts
Data integrity: Unauthorized modification or deletion of user data or system configurations
Application security: SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), or similar injection attacks
Infrastructure security: Server misconfigurations, exposed credentials, or insecure API endpoints
Encryption failures: Weak or broken encryption, insecure data transmission, or exposed cryptographic keys
What does not qualify
The following are not considered security vulnerabilities:
Feature requests or general bug reports (use our standard support channel for these)
Issues requiring physical access to a user's device
Social engineering attacks targeting end users
Denial-of-service (DoS) attacks without demonstrable impact
Spam or rate-limiting bypass for legitimate features
Vulnerabilities in third-party services we don't control (report these directly to the provider)
If you're unsure whether an issue qualifies as a security vulnerability, report it anyway. We'd rather review a non-issue than miss a real vulnerability.
Supported versions
ISMS Copilot operates as a software-as-a-service (SaaS) platform with continuous deployment. All users run the latest production version automatically — there are no legacy versions to maintain.
Security vulnerabilities should be reported for:
Production application: https://chat.ismscopilot.com
Help Center: https://help.ismscopilot.com
Public-facing websites: https://www.ismscopilot.com, https://trust.ismscopilot.com
API endpoints: Any publicly accessible or authenticated API used by the application
How to report a vulnerability
Follow these steps to submit a responsible disclosure:
Contact ISMS Copilot support immediately through the Help Center at https://help.ismscopilot.com or email [email protected]
Include detailed information:
Description of the vulnerability and its potential impact
Step-by-step reproduction instructions
Affected URLs, endpoints, or features
Screenshots, videos, or proof-of-concept code (if applicable)
Your assessment of severity (low, medium, high, critical)
Do not exploit the vulnerability beyond what's necessary to demonstrate the issue
Do not access, modify, or delete other users' data during your testing
Keep the issue confidential until we've confirmed a fix is deployed
The more detail you provide, the faster we can validate and fix the issue. Clear reproduction steps are especially valuable.
Response and resolution timeline
When you report a vulnerability, here's what happens:
Initial acknowledgment: We'll confirm receipt of your report within 24 hours
Assessment: Our security team will evaluate the issue within 24 hours to determine severity and impact
Investigation: We'll investigate the root cause and develop a fix. Timeline depends on complexity:
Critical vulnerabilities: Resolution within 48-72 hours
High-severity issues: Resolution within 7 days
Medium/low-severity issues: Resolution within 30 days
Notification: If the vulnerability affects user data, we'll notify affected users within 72 hours (GDPR Article 33 requirement)
Resolution confirmation: We'll inform you when the fix is deployed and confirm it's safe to disclose publicly (if you choose to do so)
We appreciate responsible disclosure. Once the issue is resolved, we're happy to credit you publicly (with your permission) or keep your contribution anonymous if you prefer.
What not to do
To protect all users, please avoid:
Public disclosure: Don't post vulnerabilities on social media, forums, or public issue trackers before we've resolved them
Excessive testing: Don't run automated scans or penetration tests that could disrupt service for other users
Data exfiltration: Don't download, store, or share other users' data — even to prove a vulnerability exists
Extortion or threats: Security research should be conducted in good faith to improve the platform, not for leverage
Bug bounty program
ISMS Copilot does not currently operate a formal bug bounty program with financial rewards. We deeply appreciate security researchers who report vulnerabilities responsibly and will acknowledge your contribution publicly (with permission) when issues are resolved.
We may offer recognition, swag, or service credits on a case-by-case basis for particularly impactful findings.
Related resources
Security & Data Protection Overview - Comprehensive security documentation
How We Keep ISMS Copilot Safe & Accurate - Our security approach
System Status Page - Real-time uptime monitoring
Security Policies - Internal security policies and procedures
Questions?
If you're unsure whether something qualifies as a security vulnerability or need clarification on our disclosure process, contact us at [email protected]. We're here to help make ISMS Copilot more secure.