Help us keep ThreatZ secure
We take the security of the ThreatZ platform seriously. If you have discovered a vulnerability or believe you have, we’d like to hear about it through coordinated disclosure.
Security contact
In scope
The following are within scope for coordinated disclosure:
- The ThreatZ web application at
app.threatz.ioand*.threatz.io - The marketing website at
threatz.io - The ThreatZ API, including authentication, authorization, and tenant-isolation boundaries
- The ThreatZ TestBench Agent and its on-prem/HIL components
- Customer data handling: encryption at rest, encryption in transit, key management, and audit-log integrity
Out of scope
- Social engineering against ThreatZ staff or customers
- Physical attacks against ThreatZ infrastructure
- Denial-of-service attacks (please do not attempt; report theoretical vectors instead)
- Issues in third-party services we depend on (please report to the upstream vendor)
- Findings that require root or administrator access on the reporter’s own machine
- Best-practice recommendations without a demonstrable impact (e.g., missing security headers without an exploitation path)
How to report
- Email security@uraeus.io with a clear description of the issue.
- Include steps to reproduce, affected component(s), and the impact you believe is demonstrable.
- Attach screenshots, request/response captures, or proof-of-concept code as appropriate.
- If the issue is sensitive, request our PGP key in your first email and we will reply with it.
- Allow us reasonable time to investigate and remediate before any public disclosure.
Our response commitment
When you report a vulnerability in scope, we commit to the following triage SLAs:
| Severity | First response | Triage decision | Remediation target |
|---|---|---|---|
| Critical | 1 business day | 2 business days | 7 calendar days |
| High | 2 business days | 5 business days | 30 calendar days |
| Medium | 5 business days | 10 business days | 90 calendar days |
| Low | 10 business days | 20 business days | Next scheduled release |
Severity is assigned using CVSS 3.1 (Base) and adjusted for environmental factors specific to the ThreatZ platform.
Safe harbor
When you act in good faith under this policy:
- We will not pursue or support legal action against you for accidental, good-faith research.
- We will work with you to understand and resolve the issue quickly.
- We will recognize your contribution (with your permission) in the acknowledgments below.
This safe harbor does not authorize: accessing customer data, modifying customer data, disrupting service for other users, or any activity that would violate applicable law. If in doubt about an action, contact us first.
CSMS & coordinated disclosure obligations
ThreatZ’s own engineering operates under a coordinated disclosure process aligned with ISO/SAE 21434 §15.4 (Cybersecurity incident response). Customers operating ThreatZ inside a CSMS programme can map our incident-response process to their own UNECE R155 §7.3.3 obligations and request our supporting playbook as part of procurement review.
Acknowledgments
We are grateful to the researchers who have responsibly reported vulnerabilities to us. With permission, we publish acknowledgments here.
List forthcoming — we acknowledge new contributors as reports are resolved and reporters consent to public recognition.
Related security resources
- ThreatZ Platform SBOM — CycloneDX software bill of materials availability
- RFC 9116 security.txt — machine-readable disclosure metadata
- Sales & procurement contact — security questionnaire requests and DPAs