Security · Responsible Disclosure

Report a vulnerability.

Exceptao is a security-first platform — our buyers are security engineers and CISOs who pen-test their vendors. If you find something, we want to know. This page explains how to tell us, what to expect, and what is in scope.

How to report

Send an email to security@exceptao.com. Include as much detail as you can: affected URL or endpoint, steps to reproduce, proof-of-concept (screenshots, request/response dumps), and your assessment of impact. Please do not open a public GitHub issue or social-media post before we have had a chance to respond.

A machine-readable version of this policy is available at /.well-known/security.txt (RFC 9116).

Ready to report? Email us directly:

security@exceptao.com →

What to expect

We aim to respond to every report within 2 business days with an acknowledgment. Triage (confirming whether the issue is valid, assessing severity) happens within 5 business days.

Once a vulnerability is confirmed, we will keep you updated on remediation progress. We ask that you do not disclose the issue publicly until we have shipped a fix or until 90 days have elapsed from initial report — whichever comes first.

We will acknowledge your contribution on this page (with your permission) once the issue is resolved.

In scope

The following assets are in scope for this programme:

In scope

  • app.exceptao.com — the customer-facing SPA and API
  • api.exceptao.com — the REST API origin
  • exceptao.com — this marketing site (content injection, open redirects)
  • The Stripe-redirect checkout chain (app.exceptao.com/billing/**)
  • Authentication flows: passkeys (FIDO2/WebAuthn), TOTP, SAML 2.0, OIDC

Out of scope

  • Third-party SaaS: Cloudflare, Stripe, Microsoft Graph, Backblaze
  • Social-engineering attacks against Exceptao employees or customers
  • Physical attacks against infrastructure or office
  • Denial-of-service attacks against production systems
  • Findings from automated scanners without demonstrated impact
  • Missing HTTP security headers with no exploitable consequence

Out of scope — details

We rely on Cloudflare, Stripe, Microsoft, and Backblaze as sub-processors. Vulnerabilities in those systems should be reported directly to those vendors via their own disclosure programmes.

Rate-limiting and brute-force findings are only in scope if you can demonstrate meaningful account compromise or data access — not merely that requests are not throttled on a public endpoint.

Safe harbour

Exceptao will not initiate or support any legal action against researchers who discover and report security vulnerabilities in good faith and in accordance with this policy. We consider good-faith research to mean:

  • You only access accounts and data you own or have explicit permission to test.
  • You do not exfiltrate, modify, or destroy data beyond what is necessary to demonstrate the vulnerability.
  • You do not deliberately degrade the availability or performance of the platform.
  • You report the issue to us promptly and allow reasonable time for remediation.
  • You do not disclose to third parties before coordinated disclosure is complete.

This safe-harbour commitment applies to reports sent to security@exceptao.com and does not extend to deliberate attacks, extortion attempts, or claims made after public disclosure without prior notification.

Bug bounty programme

We are evaluating Intigriti and HackerOne for a formal, paid bug-bounty programme in 2026 H2. Until that programme launches:

  • Responsible disclosure is acknowledged publicly on this page (with your consent).
  • Cash rewards are considered on a case-by-case basis for high-severity findings — authentication bypass, tenant cross-contamination, audit-log tampering, or similar.
  • All other valid reports receive written acknowledgment and a credit on this page.

There is no minimum or maximum bounty amount at this time; we will agree a figure with the reporter before paying.

Acknowledgments

We are grateful to the following researchers who have reported vulnerabilities responsibly.

No published researchers yet — be the first.