Skip to content
CyberWolfe
Security

Security & Responsible Disclosure

If you believe you have found a security vulnerability in a CyberWolfe-operated system, we want to hear from you. This page explains how to report responsibly, what we ask of you, and what you can expect in return.

Effective: May 18, 2026

1. Scope

This policy covers security research focused on:

  • https://cyberwolfe.com and any sub-domains we operate.
  • The CyberWolfe-hosted contact API endpoint at /api/contact.
  • Public CyberWolfe content delivered through our marketing site.

Out of scope:

  • Client environments. If you discover an issue affecting one of our clients, contact us at info@cyberwolfe.com and we will route it appropriately.
  • Findings against third-party services we use (Resend, Cloudflare, our hosting provider). Report those to the vendor through their own programs.
  • Volumetric denial-of-service testing, social engineering against staff, and physical security testing.

2. How to report a vulnerability

Send a clear, reproducible report to privacy@cyberwolfe.com with subject line beginning [Security].

Useful details include:

  • Affected URL or component.
  • Description of the issue and a clear proof-of-concept.
  • Steps to reproduce, including any required tooling or browser version.
  • Your assessment of impact and severity.
  • Whether you intend to publish the finding and your preferred disclosure timeline.

For sensitive submissions, request our PGP key in your initial email and we will provide it before any technical details are exchanged.

3. What you can expect from us

  • Acknowledgement within one business day.
  • Initial triage update within five business days, including our severity assessment and likely remediation path.
  • Resolution updates as we make progress, at minimum every 14 days for open findings.
  • Public credit on this page or in release notes if you would like it (anonymous credit is also fine).

4. What we ask of you

  • Provide reasonable time for us to investigate and remediate before disclosure.
  • Make a good-faith effort to avoid privacy violations, service disruption, and damage to data.
  • Only interact with accounts you own or have explicit permission to test.
  • Do not exfiltrate more data than necessary to demonstrate the issue.
  • Do not publicly disclose the issue without prior coordination.

5. Safe harbour

We support good-faith security research. When you act in accordance with this policy, CyberWolfe will:

  • Not pursue civil or criminal action against you for your research.
  • Not refer your research to law enforcement.
  • Work with you in good faith on disclosure timing.

Safe harbour does not apply to actions taken against client environments, accounts you do not own, or third parties.

6. Bug bounty

We do not currently operate a paid bug bounty program. Acknowledged researchers receive public credit and our gratitude. If we introduce a paid program in the future, the terms will be posted on this page.

7. Our own security posture

As a cybersecurity firm, we hold ourselves to the controls we recommend to clients. At a summary level we operate:

  • SSO and phishing-resistant MFA for all employees.
  • Endpoint detection and response on every workstation.
  • Encrypted communications by default. Sensitive client deliverables transit through encrypted channels.
  • Annual third-party penetration testing of the marketing site and our internal systems.
  • Centralised logging with retention periods documented in our internal information security policy.
  • Documented incident response runbooks and regular tabletop exercises.

Clients under signed NDA can request a more detailed security posture summary or copies of relevant audit letters.

8. Related documents

9. Contact

Security reports: privacy@cyberwolfe.com

General inquiries: info@cyberwolfe.com

Active incident: our 24/7 incident response hotline is +1 (877) 965-3372.