Coordinated disclosure

Security policy.

SQUR runs offensive-security tooling. We value security research that helps us improve. This policy describes how to report a vulnerability and what to expect from us.

Open a GitHub advisory Email security@squr.ai

Scope

In scope

  • *.squr.ai production domains
  • squr-ai/* GitHub repositories
  • Authenticated and unauthenticated paths on app.squr.ai
  • API endpoints at api.squr.ai
  • The asm.squr.ai free attack-surface scanner
  • Email infrastructure (*.squr.ai outbound, cold-outreach campaign domain)
  • Open-source tools published under squr-ai/*

Out of scope

  • Third-party services we use (Resend, Firestore, Cloud Run, Statuspage.io) — please report to those vendors
  • DNS misconfigurations not under SQUR control
  • Issues requiring physical access to a SQUR-issued device
  • Social-engineering attacks against SQUR employees
  • Denial-of-service attacks (do not test)
  • Issues on test/staging subdomains (*-staging.squr.ai, *-dev.squr.ai)
  • Vulnerabilities in dependencies we cannot patch — please report upstream first

How to report

Preferred

GitHub security advisory

Open a private security advisory on the squr-ai/.github repo. We receive an immediate notification.

Alternative

Email security@squr.ai

Include the vulnerability description, reproduction steps, your assessment of impact, and contact info. PGP key fingerprint on request — email us first.

Include in your report

  • Clear description of the vulnerability
  • Steps to reproduce, including any required setup
  • The impact you assess (confidentiality / integrity / availability)
  • Your name and a way to contact you
  • Optional: a suggested fix

Do not publicly disclose the issue, share details outside SQUR, or attempt to access data belonging to other users while testing.

What to expect

StageSLAAction
Acknowledgement1 business dayWe confirm receipt and assign a tracker ID
Initial assessment5 business daysWe classify severity and confirm in-scope
Status updatesEvery 14 daysProgress on remediation
Fix + disclosure≤ 90 daysWe work with you on disclosure timeline
Credit (your request)Hall-of-fame, CVE credit, blog mention

We operate a 90-day coordinated disclosure window by default. We may extend for complex issues; we will not extend without your agreement.

Safe harbour

Good-faith research is welcome.

If you act in good faith — accessing only what's necessary to demonstrate the issue, not accessing or modifying other users' data, not disrupting our services, and giving us reasonable time to fix — we will not pursue legal action and will work with you publicly to credit your finding.

We will not invoke the DMCA, computer-fraud statutes, or similar laws against good-faith research consistent with this policy.

Hall of fame

We publicly credit security researchers who help us improve. List forthcoming.