Vulnerability Disclosure Policy

Last updated: July 9, 2026

Candor Host welcomes reports from security researchers. This policy explains how to report a suspected vulnerability, what is in scope, and what we commit to researchers who report in good faith.

Reporting a vulnerability

Email security@candorhost.com. If you require encrypted communication, request our current PGP key in your initial message and we will provide it.

Include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce, ideally with a proof of concept.
  • The affected URL, endpoint, or component.
  • Your name or handle if you'd like credit, or "anonymous" if not.

Scope

The following are in scope for coordinated disclosure:

  • The candorhost.com marketing website.
  • The billing.candorhost.com client portal.
  • Any Candor Host-operated API endpoint.
  • Candor Host-operated mail infrastructure.
  • Candor Host-managed DNS infrastructure.

The following are out of scope and should not be reported here:

  • Vulnerabilities in customer-hosted content or applications (report those to the customer directly).
  • Vulnerabilities in third-party software we integrate with (WordPress, Stripe, our upstream network providers). Report those to the vendor.
  • Social engineering of Candor Host staff.
  • Physical attacks against our facilities or infrastructure.
  • Denial of service testing.
  • Automated scanning or brute-force attacks.

Safe harbor

If you make a good-faith effort to comply with this policy while reporting a vulnerability, we consider your testing and reporting to be authorized and:

  • We will not pursue civil or criminal action against you, or refer your activity to law enforcement.
  • We will work with you if a third party (upstream provider, law enforcement) takes action based on your testing that we can reasonably intervene on.

To qualify for safe harbor, you must:

  • Only test against your own accounts or accounts you have explicit written permission to test.
  • Not access, modify, download, or delete data belonging to any other customer.
  • Not perform any action that would degrade service for other customers.
  • Not violate any applicable law.
  • Give us a reasonable time to remediate before publicly disclosing.

What we commit

  • We will acknowledge receipt of your report within 3 business days.
  • We will provide an initial triage response — including whether the report is in scope, an initial severity assessment, and an expected remediation timeline — within 10 business days.
  • We will keep you updated on progress toward remediation.
  • We will credit you publicly on this page (with your permission) once the vulnerability is fixed.
  • We will not require a non-disclosure agreement to receive a report; however, we ask that you not publicly disclose the vulnerability until it is remediated and coordinated with us.

Bug bounty

We do not currently operate a paid bug bounty program. As we scale, we intend to launch one. For now, we offer public credit and our sincere thanks.

security.txt

For automated discovery, we publish a security.txt file at candorhost.com/.well-known/security.txt per RFC 9116.

Contact

Hall of fame

Once we receive our first accepted report, we will list acknowledged researchers here.