Security Research Group Request a Demo

Vulnerability Disclosure Policy

Effective date: 01-10-2026.

Introduction

Security Research Group LLC ("SRG," "we," "us," or "our") is committed to the security of our systems and the information entrusted to us. We value the work of the security research community and recognize that good-faith security research helps keep our systems and our clients safe. This Vulnerability Disclosure Policy ("Policy") describes what systems are in scope, how to conduct research, how to report a vulnerability to us, and what you can expect in return.

Authorization and Safe Harbor

If you make a good-faith effort to comply with this Policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and SRG will not pursue or support legal action against you related to your research. If legal action is initiated by a third party against you for activities that were conducted in accordance with this Policy, we will make this authorization known.

This authorization extends only to the systems described in the "Scope" section below and only to the extent your activities are consistent with this Policy. It does not authorize testing of systems that belong to our clients, partners, or other third parties.

Scope

This Policy applies to the following systems and services owned and operated by SRG:

  • securityresearch.us and its subdomains
  • Other internet-facing systems we explicitly identify in writing as in scope

The following are explicitly out of scope:

  • Systems, applications, or data belonging to our clients, including any environment we assess or operate under a client engagement. Vulnerabilities in client systems must be handled under the terms of the applicable client agreement, not this Policy.
  • Third-party services and platforms we use but do not operate (for example, our email or hosting providers). Report those to the relevant vendor under their own disclosure policy.
  • Non-public or non-internet-accessible systems.
  • Physical security testing, social engineering of our staff, denial-of-service testing, or any activity that could degrade, disrupt, or destroy our systems or data.

If you are unsure whether a system is in scope, contact us at security@securityresearch.us before beginning your research.

Rules of Engagement

To be considered authorized under this Policy, you must:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and the destruction or manipulation of data.
  • Use exploits only to the minimum extent necessary to confirm a vulnerability's presence. Do not use an exploit to exfiltrate data, establish persistent access, or pivot to other systems.
  • Stop testing and notify us immediately if you encounter any client data, personal data, or other sensitive information.
  • Not access, modify, or delete data that does not belong to you.
  • Provide us a reasonable amount of time to resolve an issue before disclosing it publicly.
  • Not submit a high volume of low-quality reports.

How to Report

Please send vulnerability reports to security@securityresearch.us. To help us triage and resolve the issue quickly, please include:

  • A description of the vulnerability and its potential impact
  • The specific system, URL, or component affected
  • Clear, reproducible steps, including any proof-of-concept where appropriate
  • Any tools or configurations used

You may submit reports anonymously. If you share contact information, we will acknowledge receipt within three (3) business days.

Our Commitments

When you report a vulnerability in good faith under this Policy, we will:

  • Acknowledge receipt of your report within three (3) business days (where contact information is provided).
  • Work to validate and triage the report in a timely manner and keep you informed of our progress where appropriate.
  • Use information you submit only for defensive purposes - to mitigate or remediate the vulnerability.
  • Not share your name or contact information without your express permission.

Coordinated Disclosure

We follow a coordinated disclosure model. We ask that you give us a reasonable period to remediate before any public disclosure. Industry practice is to allow up to ninety (90) days, and we will work with you in good faith on disclosure timing. If a reported vulnerability affects products or services beyond SRG, we may coordinate with the affected parties or the Cybersecurity and Infrastructure Security Agency (CISA) under its coordinated vulnerability disclosure process.

Recognition

We are grateful to researchers who help keep us secure. While we do not currently operate a paid bug bounty program, we are happy to acknowledge your contribution publicly with your permission.

Questions

Questions about this Policy may be sent to security@securityresearch.us. We may update this Policy from time to time; the effective date above reflects the most recent revision.