ShadowMap works closely with security researchers to identify and fix any security vulnerabilities in our infrastructure and products. If you believe you have found a security issue, we encourage you to notify us and work with us on the lines of this disclosure policy.

Let us know as soon as you discover a potential security issue. Depending on the severity, these issues will be given the highest priority in our issue trackers. Do not publicly disclose part, or all of the vulnerability until we have had a chance to investigate and remediate it with you.

Notify us on security@shadowmap.com. you may encrypt them to the following GPG key (https://keys.openpgp.org/vks/v1/by-fingerprint/DCA8B876C74862751CA44EF2779A0DA6378F1796). If you believe you have found a vulnerability that affects confidential information (such as customer data, source-code, credentials etc.), please confirm the potential issue with our team prior to attempting to gain access to the information or downloading any confidential data. Any security report that contains confidential information must be sent encrypted to our GPG public key.

Provide us with as much technical and background information on the vulnerability as you can. This includes proof-of-concept screenshots, PoC code, affected assets, and any mitigation recommendations that you may have identified.

The scope of our security program extends only to *.shadowmap.com or to the latest build of our products. If you’re unsure, please clarify if an asset is in scope prior to commencing your research. This gives our team a heads-up and can save your time from testing assets that are outside of our security program.