Contents
Vulnerability Disclosure Process
Last updated: September 9, 2025
Introduction
At SkyWatch, we place the highest priority on the security of our systems and data. We appreciate the community’s efforts to identify potential vulnerabilities. Your contributions help us maintain a safer and more trustworthy environment.
Guidelines
- Respect Privacy: Avoid accessing or destroying data that does not belong to you.
- No Disruption: Do not engage in any testing that could degrade or interrupt our systems.
- Good Faith Research: Only use methods that are necessary to identify and validate a potential vulnerability.
- Legal Compliance: Comply with all applicable local, state, and federal laws.
Scope
This program is intended to cover:
- EXPLORE: explore.skywatch.com
- HUB: hub.skywatch.com
OUT OF SCOPE:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or brute-force issues on non-authentication endpoints.
- Missing best practices in Content Security Policy.
- Missing Http Only or Secure flags on cookies.
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Tab-nabbing.
- Open redirect – unless an additional security impact can be demonstrated.
- Issues that require unlikely user interaction.
How to Report a Vulnerability
You can disclose a vulnerability by completing our online form at https://trust.skywatch.com or by emailing us directly at security@skywatch.com. Please include as much detail as possible to help us quickly identify and replicate the issue.
Option A: Online Form
- Visit https://trust.skywatch.com.
- Click on Report Issue on the Trust Page.
- Fill out the Issue Form providing as much as details and evidence as possible.
- Submit the form.
Option B: Email
If you would prefer, you may also send an email to security@skywatch.com. Please include:
- Full name.
- Detailed description of the issue.
- Steps to reproduce.
- Any relevant screenshots or attachments.
Our Commitment
- Acknowledgment: We will acknowledge receipt of your report within 2-3 business days.
- Investigation: Our security team will investigate , validate the reported vulnerability and classify it according to its severity.
- Remediation: If deemed valid, we will work to address it promptly.
- Status Updates: You will be kept informed of our progress and any next steps.
Vulnerability processing timeline:
Type Time for Confirmation Time for Processing Critical Within 48 hours Within 72 hours High Risk Within 3 days Within 1 week Medium Risk Within 7 days Within 2 weeks Low Risk Within 14 days Within 1 month Ignored Within 1 month Within 6 months
Safe Harbour
We will not take legal action against researchers who:
- Adhere to this policy’s guidelines.
- Act in good faith and avoid any privacy violations.
- Refrain from causing harm (e.g., data destruction, service interruption).
Thank You
We appreciate your help in keeping our systems and data secure. Your time and effort in responsibly disclosing vulnerabilities to us are invaluable.
