How It WorksOur ApproachFAQBlog
Schedule a demo
HomeSecurity

Vulnerability Disclosure Program

How security researchers can report suspected vulnerabilities in Squash systems safely, responsibly, and in a way our team can triage.

Last updated June 21, 2026

Key points

Report channel
Send vulnerability reports to security@squash.ai with enough detail for Squash to reproduce and triage the issue.
Safe testing
Good-faith research must avoid privacy violations, service disruption, persistence, social engineering, and access to data that does not belong to the researcher.
No bounty commitment
Squash accepts responsible disclosures, but does not currently operate a paid bounty program unless a written agreement says otherwise.

Scope

This program covers suspected security vulnerabilities in public Squash-owned web properties and Squash product surfaces that a customer or researcher is explicitly authorized to access.

Testing must stay within accounts, workspaces, tenants, assets, and data that the researcher owns or is authorized to test.

  • In scope

    squash.ai public pages, app.usesquash.ai authenticated product surfaces you are authorized to use, and api.usesquash.ai endpoints you are authorized to call.

  • Out of scope

    Denial-of-service testing, spam, social engineering, physical attacks, employee or customer phishing, third-party systems, and attempts to access another customer's data.

How to report

Email security@squash.ai with a concise description, affected URL or asset, steps to reproduce, impact, screenshots or proof-of-concept details where safe, and your preferred contact information for follow-up.

Do not include secrets, credentials, personal data, customer data, or exploit code beyond what is necessary to prove the issue safely.

  • What helps triage

    Clear reproduction steps, observed and expected behavior, browser or client details, timestamps, request IDs if available, and a plain-English impact assessment.

  • What to avoid

    Persistence, lateral movement, data exfiltration, destructive changes, privacy-invasive testing, automated high-volume scanning, or publishing details before Squash has had time to respond.

Safe harbor

Squash will not pursue legal action for good-faith research that follows this policy, avoids harm, reports promptly, and gives Squash a reasonable opportunity to investigate before public disclosure.

If research accidentally exposes data or systems outside the authorized scope, stop testing, do not copy or share the data, and report the issue immediately.

Our response

Squash reviews incoming reports, prioritizes validated issues based on severity and product impact, and remediates confirmed vulnerabilities through the normal engineering workflow.

We aim to acknowledge good-faith reports within a reasonable timeframe and may ask for additional detail when needed to reproduce the issue.

security.txt

Squash also publishes a security.txt file at /.well-known/security.txt so researchers and automated tooling can find the disclosure contact and policy URL.

Ready to report?

Send the report to security@squash.ai. Please include enough detail for Squash to reproduce and assess the issue safely.

Email security