t threatover

Security

Responsible Disclosure

If you've found a vulnerability in threatover.com or a service we operate, we want to hear from you. Here's how to report it.

Scope

  • threatover.com and its subdomains
  • Public APIs operated by threatover
  • Customer-facing email infrastructure (noreply@, hello@)

Out of scope: third-party services we use (Cloudflare, AWS SES, etc.) — report those directly to the vendor. Customer sites we are actively cleaning are out of scope; report through your engagement contact.

How to report

Send a written report to [email protected]. Include:

  • A clear description of the issue and the affected endpoint or component
  • Steps to reproduce, ideally with a minimal proof-of-concept
  • What you believe the impact is
  • Whether you've shared the issue elsewhere

PGP encryption is welcome but not required. If you need a key, ask in your first message and we'll send one.

What you can expect

  • Acknowledgement of your report within five business days
  • An honest assessment of severity and intended remediation timeline
  • Credit in any public write-up if you want it (and we ask before naming you)
  • Coordination on disclosure timing — we aim for fix-before-publish

Safe harbor

We will not pursue legal action against researchers who:

  • Stick to the in-scope assets above
  • Avoid degrading service for other users (no DoS, no destructive testing on shared resources)
  • Do not access, modify, exfiltrate, or retain data belonging to other people beyond what is strictly necessary to demonstrate the issue
  • Report the issue privately and give us reasonable time to fix it before publishing
  • Comply with applicable law

Out of scope (please don't bother reporting)

  • Missing security headers without a demonstrable impact
  • SPF / DMARC / DKIM configuration without a working spoofing PoC
  • Self-XSS, clickjacking on pages without sensitive actions
  • Output from automated scanners with no validation
  • Username enumeration on public endpoints (we don't have user accounts to enumerate)

Rewards

We do not currently run a paid bug bounty. We will publicly thank you (with permission) and we can issue a recommendation letter for serious findings if that helps you.

Machine-readable

Our security.txt is at /.well-known/security.txt.

Accepting engagements

Site compromised? Let's talk.

Send us what you know. You get a triage and a fixed quote in return.

Open intake form →