Skip to main content
SenseOn
SEE IT WORK

Responsible Disclosure Policy

SenseOn's responsible disclosure policy for reporting security vulnerabilities. We welcome reports from security researchers.

Responsible Disclosure Policy

Last updated: 15 January 2025

SenseOn Limited ("SenseOn", "we", "us") takes the security of our platform and our customers' data seriously. We welcome and appreciate reports of security vulnerabilities from security researchers, customers, and the general public.

1. Scope

This policy applies to security vulnerabilities in:

  • The SenseOn platform (app.senseon.io)
  • The SenseOn website (senseon.io)
  • SenseOn APIs and integrations
  • SenseOn agent software

Out of Scope

The following are not in scope for this policy:

  • Social engineering attacks against SenseOn employees or customers
  • Denial of service attacks
  • Physical security issues
  • Vulnerabilities in third-party applications or services not operated by SenseOn
  • Findings from automated vulnerability scanning tools without demonstrated impact
  • Missing HTTP headers without demonstrated security impact
  • TLS configuration issues on non-production environments

2. How to Report

Please report vulnerabilities via email to security@senseon.io.

Include as much of the following information as possible:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

Please encrypt sensitive reports using our PGP key, available at senseon.io/.well-known/security.txt.

3. Our Commitment

When you report a vulnerability in good faith:

  • Acknowledgement: We will acknowledge receipt within 2 business days
  • Assessment: We will provide an initial assessment within 5 business days
  • Updates: We will keep you informed of our progress toward remediation
  • Resolution: We will work to resolve confirmed vulnerabilities promptly based on severity
  • Recognition: With your permission, we will credit you in our security acknowledgements

4. Expected Timelines

| Severity | Target Resolution | |----------|-------------------| | Critical (CVSS 9.0+) | 24–72 hours | | High (CVSS 7.0–8.9) | 7 days | | Medium (CVSS 4.0–6.9) | 30 days | | Low (CVSS 0.1–3.9) | 90 days |

We may request a coordinated disclosure timeline if remediation requires more time than the targets above.

5. Guidelines for Researchers

To ensure a safe and productive process, we ask that you:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform actions that could degrade service for SenseOn customers
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it
  • Do make a good-faith effort to avoid privacy violations and disruption
  • Do act in good faith and comply with applicable laws

6. Safe Harbour

SenseOn will not pursue legal action against individuals who:

  • Comply with this responsible disclosure policy
  • Report vulnerabilities in good faith
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Do not access, modify, or exfiltrate customer data

We consider security research conducted in accordance with this policy to be authorised and will not pursue civil or criminal action.

7. Rewards

SenseOn does not currently operate a formal bug bounty programme. However, we recognise the value of security research and may offer recognition or rewards at our discretion for particularly significant or impactful findings.

8. Contact

  • Email: security@senseon.io
  • PGP Key: Available at /.well-known/security.txt
  • Web: senseon.io/responsible-disclosure-policy

Thank you for helping keep SenseOn and our customers secure.