We welcome reports from security researchers. This page defines our scope, safe-harbor terms, and the process.
Scope (in)
*.netinsightpro.com— website, API, admin portal, releases CDN- NetInsightPro Windows / Linux / Android client applications
- License activation + validation flow
- Mobile app protocol (HMAC signing, JWT claims)
Out of scope
- Third-party services (Stripe, our cloud infrastructure sub-processors)
- Social engineering of staff or customers
- Physical attacks
- Denial-of-service (DoS / DDoS) — do not run
- Self-XSS, reports without PoC, theoretical issues without impact
- Outdated software version reports without exploit path
- Missing security headers without demonstrated impact
How to report
- Email security@netinsightpro.com with:
- Summary + severity estimate (CVSS 4.0)
- Reproduction steps + PoC
- Impact assessment
- Optional: your preferred credit name
- Use PGP (key on request) for sensitive reports
- Give us reasonable time to fix before public disclosure (typical: 90 days)
Safe harbor
We will NOT pursue legal action against researchers who:
- Report in good faith via the above channel
- Avoid privacy violations, data destruction, or service disruption
- Do not exploit beyond PoC needed to demonstrate the issue
- Do not disclose publicly before we've had reasonable fix time
Recognition
We currently do not pay monetary bounties (startup stage). In exchange we offer:
- Prompt acknowledgement + public credit (opt-in Hall of Fame)
- Swag for High/Critical findings (once we have it made)
- A lifetime Pro license
We will move to a funded bounty program as we scale.
Response timeline
| Severity | Acknowledge | Triage | Patch |
|---|---|---|---|
| Critical | 24 hrs | 3 business days | 14 days |
| High | 2 business days | 5 business days | 30 days |
| Medium / Low | 5 business days | 10 business days | 90 days |
Hall of Fame
Reserved for first researchers to report in-scope vulnerabilities. Empty list is good news.