Poggio
Get Started
Docs
Legal

Vulnerability Disclosure Policy

How to report security vulnerabilities in Poggio products and infrastructure

Poggio Labs, Inc.

Last Updated: June 12, 2026

Poggio Labs takes the security of our systems and our customers' data seriously. We value the work of security researchers and welcome reports of vulnerabilities in our products and infrastructure, made in good faith.

Reporting a Vulnerability

If you believe you have found a security vulnerability in any Poggio system, please report it to us at:

infosec@poggio.io

Please include, where possible:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue (proof-of-concept code, screenshots, or request/response samples are helpful)
  • The affected URL, endpoint, or component
  • Any relevant environment details (browser, account type, etc.)

We ask that you report vulnerabilities promptly after discovery and keep the details confidential until we have had a reasonable opportunity to remediate.

Our Commitment

When you report a vulnerability to us in accordance with this policy, we will:

  • Acknowledge receipt of your report within 3 business days
  • Provide an initial assessment and expected remediation timeline within 10 business days
  • Keep you informed of our progress toward remediation
  • Notify you when the issue is resolved
  • Credit you for the discovery, if you wish, once the issue has been remediated

Scope

This policy applies to:

  • The Poggio application and APIs (poggio.io and subdomains)
  • The Poggio Slack application
  • Poggio-operated infrastructure supporting these services

The following are out of scope:

  • Denial-of-service (DoS/DDoS) testing
  • Social engineering, phishing, or physical attacks against Poggio Labs employees, contractors, or facilities
  • Testing against systems or accounts you do not own or are not authorized to access
  • Automated scanning that degrades service availability
  • Third-party services and vendors not operated by Poggio Labs (please report issues with those services to the respective vendor)

Safe Harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to comply with this policy
  • Avoid privacy violations, data destruction, and degradation of our services
  • Do not access, modify, or exfiltrate data belonging to other customers — if you encounter another customer's data in the course of testing, stop immediately and include this in your report
  • Do not exploit a vulnerability beyond the minimum necessary to demonstrate its existence

Activities conducted in a manner consistent with this policy are considered authorized, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy.

Rewards

Poggio Labs does not currently operate a paid bug bounty program. We are glad to publicly acknowledge researchers who responsibly disclose valid vulnerabilities, with their permission.

Questions

For questions about this policy, contact infosec@poggio.io. For data and privacy notices, please use the channels described in our Data Processing Addendum.

Data Processing Addendum

Previous

Was this page helpful?

On this page

Reporting a VulnerabilityOur CommitmentScopeSafe HarborRewardsQuestions