Responsible Disclosure


Xaptum takes security very seriously and investigates all reported vulnerabilities. This page describes our practices for addressing potential vulnerabilities in all aspects of our products.

Reporting Suspected Vulnerabilities

Please email security@xaptum.com to report any security vulnerabilities. We strongly encourage that you encrypt the disclosure emails. Our public key is available on this page below, from the PGP key server, or by emailing us directly.

So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understanding the nature and severity of the vulnerability. The information you share with Xaptum as part of this process is kept confidential within Xaptum. It will not be shared with third parties without your permission.

We will acknowledge receipt of your vulnerability report by the next business day and assign it a tracking number. We will notify you after the vulnerability has been fixed. If you are curious about the status of your disclosure earlier, please feel free to email us again.

We do not provide monetary compensation for reporting vulnerabilities at this time. If desired we will publicly acknowledge your responsible disclosure after we have fixed the vulnerability and notified all affected parties. When possible, we prefer that our respective public disclosures be posted simultaneously.

Penetration Testing

Prior, written permission is required to conduct red teaming or other penetration testing against Xaptum products. You can apply by emailing security@xaptum.com with details about your plans and experience. The Director of Security and VP of Engineering will review your plans. You will receive a response approving, denying, or requesting changes to your plans within seven business days.

PGP Public Key