Vulnerability Disclosure Policy
Last updated: July 9, 2026
Candor Host welcomes reports from security researchers. This policy explains how to report a suspected vulnerability, what is in scope, and what we commit to researchers who report in good faith.
Reporting a vulnerability
Email security@candorhost.com. If you require encrypted communication, request our current PGP key in your initial message and we will provide it.
Include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, ideally with a proof of concept.
- The affected URL, endpoint, or component.
- Your name or handle if you'd like credit, or "anonymous" if not.
Scope
The following are in scope for coordinated disclosure:
- The candorhost.com marketing website.
- The billing.candorhost.com client portal.
- Any Candor Host-operated API endpoint.
- Candor Host-operated mail infrastructure.
- Candor Host-managed DNS infrastructure.
The following are out of scope and should not be reported here:
- Vulnerabilities in customer-hosted content or applications (report those to the customer directly).
- Vulnerabilities in third-party software we integrate with (WordPress, Stripe, our upstream network providers). Report those to the vendor.
- Social engineering of Candor Host staff.
- Physical attacks against our facilities or infrastructure.
- Denial of service testing.
- Automated scanning or brute-force attacks.
Safe harbor
If you make a good-faith effort to comply with this policy while reporting a vulnerability, we consider your testing and reporting to be authorized and:
- We will not pursue civil or criminal action against you, or refer your activity to law enforcement.
- We will work with you if a third party (upstream provider, law enforcement) takes action based on your testing that we can reasonably intervene on.
To qualify for safe harbor, you must:
- Only test against your own accounts or accounts you have explicit written permission to test.
- Not access, modify, download, or delete data belonging to any other customer.
- Not perform any action that would degrade service for other customers.
- Not violate any applicable law.
- Give us a reasonable time to remediate before publicly disclosing.
What we commit
- We will acknowledge receipt of your report within 3 business days.
- We will provide an initial triage response — including whether the report is in scope, an initial severity assessment, and an expected remediation timeline — within 10 business days.
- We will keep you updated on progress toward remediation.
- We will credit you publicly on this page (with your permission) once the vulnerability is fixed.
- We will not require a non-disclosure agreement to receive a report; however, we ask that you not publicly disclose the vulnerability until it is remediated and coordinated with us.
Bug bounty
We do not currently operate a paid bug bounty program. As we scale, we intend to launch one. For now, we offer public credit and our sincere thanks.
security.txt
For automated discovery, we publish a security.txt file at candorhost.com/.well-known/security.txt per RFC 9116.
Contact
- Security reports: security@candorhost.com
- General legal inquiries: legal@candorhost.com
Hall of fame
Once we receive our first accepted report, we will list acknowledged researchers here.