Security reporting channel

Responsible Disclosure

A safe public path for clients, researchers, and third parties to report suspected vulnerabilities or security concerns without using public forms for secrets or sensitive data.

How this page supports country onboarding

Country onboarding pages and Trust Center pages can link here when procurement teams ask about vulnerability reporting and security-contact process.

Important note

This page is general onboarding and review information. It is not legal, tax, regulatory, cybersecurity, financial, or compliance advice, and it does not create certification claims or service commitments. Final obligations belong in signed agreements and approved project documents.

Reporting

Report security concerns through a controlled channel

Security reports should include affected URL or system, vulnerability type, impact, reproduction steps, timestamps, test account details where applicable, and safe evidence.

Reports should not include passwords, private keys, raw personal data, payment card data, production secrets, destructive exploit output, or public disclosure before triage.

Triage

Reports are reviewed by severity and user impact

Reports should be triaged based on exploitability, affected users, data exposure risk, business impact, affected environment, and whether the issue affects a critical workflow.

Critical: active exploit, exposed secrets, authentication bypass, personal data exposure, or payment/security impact.
High: realistic exploitation path or serious control weakness.
Medium/low: limited impact, hard-to-exploit, or defense-in-depth issues.

Boundaries

Testing must avoid harm

Reporters should avoid privacy violations, service disruption, data destruction, social engineering, spam, physical attacks, and testing against systems they are not authorized to inspect.

Preparation

Buyer checklist

Use a controlled security contact instead of public comments.

Include reproducible steps and safe evidence.

Do not include secrets or raw personal data.

Avoid service disruption and destructive testing.

Wait for triage before public disclosure.

Review materials

Available artifacts

Security report template
Triage severity model
Remediation tracking
Retest evidence

Local overlays

Country-specific notes

United States

United States clients should use this page together with the United States onboarding guide before sharing confidential materials or signing documents.
Country review flags: Legal review, Security review, Privacy review, Export-control review when applicable, Regulated-industry review when applicable.
Final rights, responsibilities, payment terms, IP terms, security commitments, and privacy commitments must be captured in signed documents.

United Kingdom

United Kingdom clients should use this page together with the United Kingdom onboarding guide before sharing confidential materials or signing documents.
Country review flags: Legal review, Privacy review, Security review, UK transfer review when applicable.
Final rights, responsibilities, payment terms, IP terms, security commitments, and privacy commitments must be captured in signed documents.

European Union / EEA

European Union / EEA clients should use this page together with the European Union / EEA onboarding guide before sharing confidential materials or signing documents.
Country review flags: GDPR review, SCC review, Security review, AI use-case review when applicable.
Final rights, responsibilities, payment terms, IP terms, security commitments, and privacy commitments must be captured in signed documents.

South Korea

South Korea clients should use this page together with the South Korea onboarding guide before sharing confidential materials or signing documents.
Country review flags: PIPA review, Cross-border transfer review, Security review, Procurement review, Regulated-industry review when applicable.
Final rights, responsibilities, payment terms, IP terms, security commitments, and privacy commitments must be captured in signed documents.

Canada

Canada clients should use this page together with the Canada onboarding guide before sharing confidential materials or signing documents.
Country review flags: Privacy review, Security review, Procurement review.
Final rights, responsibilities, payment terms, IP terms, security commitments, and privacy commitments must be captured in signed documents.

Australia

Australia clients should use this page together with the Australia onboarding guide before sharing confidential materials or signing documents.
Country review flags: Privacy review, Security review, Procurement review.
Final rights, responsibilities, payment terms, IP terms, security commitments, and privacy commitments must be captured in signed documents.

Singapore

Singapore clients should use this page together with the Singapore onboarding guide before sharing confidential materials or signing documents.
Country review flags: Privacy review, Security review, Procurement review.
Final rights, responsibilities, payment terms, IP terms, security commitments, and privacy commitments must be captured in signed documents.

United Arab Emirates

United Arab Emirates clients should use this page together with the United Arab Emirates onboarding guide before sharing confidential materials or signing documents.
Country review flags: Privacy review, Security review, Procurement review, Regulated-industry review when applicable.
Final rights, responsibilities, payment terms, IP terms, security commitments, and privacy commitments must be captured in signed documents.

Next review

Connect this review to country onboarding

Use this page with the country onboarding guide so your legal, procurement, security, privacy, finance, and engineering teams have the right review path before contract signature.