Skip to main content
SenseOn
SEE IT WORK

Responsible Disclosure Policy

SenseOn's responsible disclosure policy for reporting security vulnerabilities. We welcome reports from security researchers.

Responsible Disclosure Policy

Last updated: 3 May 2026

SenseOn Limited ("SenseOn", "we", "us") takes the security of our platform, services, and customers' data seriously. We welcome good-faith vulnerability reports from security researchers, customers, partners, and the wider security community.

1. Scope

This policy applies to security vulnerabilities in:

  • SenseOn customer-facing applications and services
  • The SenseOn website and public web properties
  • SenseOn APIs, integrations, and supported marketplace listings
  • SenseOn Sensor, agent, and deployment tooling that we operate or distribute

Out of Scope

The following are not in scope for this policy:

  • Social engineering attacks against SenseOn employees or customers
  • Denial of service, load, or stress testing without prior written permission
  • Physical security issues, social engineering, phishing, or spam
  • Vulnerabilities in third-party applications or services not operated by SenseOn
  • Findings from automated scanning tools without demonstrated impact
  • Missing HTTP headers or low-risk configuration observations without a practical exploit path
  • Issues that require compromised credentials, outdated browsers, or unrealistic user interaction unless there is clear customer impact

2. How to Report

Please report vulnerabilities via email to security@senseon.io. If your report contains highly sensitive material, say so in the initial message and we will arrange an appropriate secure exchange.

Include as much of the following information as possible:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

3. Our Commitment

When you report a vulnerability in good faith:

  • Acknowledgement: We will acknowledge receipt within 2 business days
  • Assessment: We will triage the report, confirm scope, and provide an initial assessment within 5 business days where possible
  • Updates: We will keep you informed of meaningful remediation progress
  • Resolution: We will prioritise confirmed vulnerabilities based on severity, exploitability, customer impact, and active exploitation risk
  • Recognition: With your permission, we will credit you for valid, responsibly disclosed findings

4. Expected Timelines

| Severity | Target Resolution | |----------|-------------------| | Critical (CVSS 9.0+) | 24–72 hours | | High (CVSS 7.0–8.9) | 7 days | | Medium (CVSS 4.0–6.9) | 30 days | | Low (CVSS 0.1–3.9) | 90 days |

Targets may change if a vulnerability affects third-party dependencies, customer environments, or coordinated industry remediation. In those cases, we will explain the reason and agree a sensible disclosure timeline.

5. Guidelines for Researchers

To ensure a safe and productive process, we ask that you:

  • Do not access, modify, copy, retain, or delete data belonging to SenseOn customers, employees, or other users
  • Do not interrupt, degrade, or attempt to degrade SenseOn services
  • Do not use destructive payloads, persistence, credential theft, lateral movement, or data exfiltration
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it
  • Do use the minimum testing needed to prove impact
  • Do stop testing and report immediately if you encounter sensitive data or service-impacting behaviour
  • Do act in good faith and comply with applicable laws

6. Safe Harbour

SenseOn will not pursue legal action against individuals who:

  • Comply with this responsible disclosure policy
  • Report vulnerabilities in good faith
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Do not access, modify, retain, or exfiltrate customer, employee, or third-party data
  • Stop testing and notify us promptly if sensitive data is exposed

We consider security research conducted in accordance with this policy to be authorised and will not pursue civil or criminal action.

7. Rewards

SenseOn does not currently operate a formal bug bounty programme. However, we recognise the value of security research and may offer recognition or rewards at our discretion for particularly significant or impactful findings.

8. Contact

  • Email: security@senseon.io
  • Web: senseon.io/responsible-disclosure-policy

Thank you for helping keep SenseOn and our customers secure.