Security
Security & responsible disclosure
We welcome reports from security researchers acting in good faith. This page explains how to report a vulnerability, what is in scope, and the safe-harbor commitment we make in return. ApexGEO runs a coordinated-disclosure program; we do not currently offer monetary bounties, but we credit reporters who want recognition.
How to report
Email [email protected] with a clear description, the affected URL or endpoint, and step-by-step reproduction (a proof of concept or short video helps). Our machine-readable contact is published at /.well-known/security.txt. Please do not disclose the issue publicly until we have confirmed a fix.
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider it authorized, will not pursue or support legal action against you, and will work with you to understand and resolve the issue quickly. Act in good faith: only test against your own account or accounts you have permission to use, never access or modify other users' data, and stop as soon as you confirm a vulnerability.
In scope
- apexgeo.app and its subdomains (app, www)
- The ApexGEO API and dashboard
- Authentication, authorization, and tenant-isolation flaws
- Injection, SSRF, RCE, and data-exposure issues
Out of scope
- Findings from automated scanners without a working proof of concept
- Denial of service, volumetric, or brute-force testing
- Social engineering, phishing, or physical attacks against staff
- Missing best-practice headers with no demonstrated impact
- Reports against third-party services we use (report those to the vendor)
What to expect
We acknowledge reports within one business day, confirm the issue and an expected remediation timeline after triage, and notify you when a fix ships. With your permission, we credit you in our release notes once the issue is resolved.
Looking for our data-handling commitments? See the Trust Center, Privacy Policy, and Data Processing Agreement.