Security · VDP

Vulnerability Disclosure Program

We take security seriously and welcome good-faith research. If you find a vulnerability, report it to us privately — we'll investigate, fix, and acknowledge your contribution.

Report a Vulnerability

Send a clear description, affected endpoint, steps to reproduce, and potential impact to:

security@testseed.com

No login required. No CAPTCHA. PGP available on request.

Response Timeline

24 h

Acknowledgement

We confirm receipt of your report.

5–7 days

Triage

We evaluate scope and impact.

90 days

Fix window

We aim to remediate before public disclosure.

Scope

In Scope

  • TestSeed web application and public APIs
  • Authentication and authorization flows
  • Data isolation between user accounts
  • API key security and session handling

Out of Scope

  • Social engineering or phishing attacks
  • Denial of service or volumetric attacks
  • Physical infrastructure or third-party services
  • Issues requiring customer credentials

Responsible Disclosure Guidelines

  • Do not access or exfiltrate customer data beyond what is needed to demonstrate the issue.
  • Avoid automated scanning at scale that could degrade service availability.
  • Allow us reasonable time to investigate before public disclosure.
  • Limit testing to proof of concept — no exploitation beyond that.

Safe Harbor

Research conducted in good faith and within this policy is considered authorized by TestSeed. We will not pursue legal action against researchers who follow these guidelines. Safe harbor applies only to TestSeed-owned systems.

Bug Bounty

TestSeed does not currently operate a paid bug bounty program. Valid reports that improve our security posture will be acknowledged — Hall of Fame credit available on request.

Questions about our security practices?
Security overviewTrust CenterUpdates

    Cookies & Analytics

    We use analytics cookies to improve TestSeed. You can opt out anytime.

    See our cookie policy.