Skip to content
RiskMeter
Security

Vulnerability disclosure policy

RiskMeter is a security company. We take vulnerability reports about our own website and services seriously, and we want it to be easy for security researchers to tell us when something is wrong. This policy describes how to report, what to expect from us, and the protections we extend to good-faith researchers.

Last updated: 2026-04-29

1. Scope

This policy covers security vulnerabilities affecting:

  • The RiskMeter website at www.riskmetercybersecurity.com and its subdomains
  • The free-scan application form and the server-side handling of submissions
  • The data we hold about applicants and customers
  • Any RiskMeter-published software or content

The following are out of scope:

  • Third-party services we use (Vercel, Cloudflare, Neon, Slack, etc.) — please report those directly to the third party. If you believe a third-party issue affects RiskMeter customers, we want to hear about it.
  • Volumetric denial-of-service attacks, brute-force attempts, or rate-limit testing
  • Findings from automated scanners that lack a demonstrable proof of impact
  • Social engineering of RiskMeter staff, contractors, or customers
  • Physical attacks against RiskMeter property or personnel
  • Issues that require unreasonable user interaction (e.g., asking a victim to disable browser security and then visit a crafted page)
  • Reports of generic best-practice findings (e.g., missing security headers, low-strength TLS ciphers) that do not demonstrate concrete impact, unless they materially weaken a specific protection

2. How to report

Email security@riskmetercybersecurity.com. Plain text is fine. PGP encryption is optional and not currently required.

Please include in your report:

  • A clear description of the vulnerability
  • The exact URL, request, or component where it can be reproduced
  • Step-by-step reproduction instructions (cURL commands, request payloads, or browser steps)
  • The impact — what an attacker could realistically achieve
  • Any relevant supporting material (screenshots, video, sample payload), redacted of any third-party data you may have incidentally observed
  • Whether you would like to be credited if we acknowledge the finding (and how to credit you)

3. Our response timeline

We commit to the following response targets for in-scope reports. Times are measured from receipt of a complete report at the address above, in business days unless otherwise noted.

StageTarget
Acknowledgement of receipt2 business days
Triage decision (in/out of scope, severity)5 business days
Status update on validated findingsEvery 14 days, until resolved
Resolution of high or critical findingsWithin 30 days where reasonably feasible
Resolution of lower-severity findingsWithin 90 days where reasonably feasible

Where a fix takes longer than these targets (for example, because it depends on a third-party patch), we will explain the delay and provide a revised timeline.

4. Safe harbor

RiskMeter will not pursue or support legal action against researchers who, in good faith and in accordance with this policy:

  • Test only the in-scope assets listed in Section 1
  • Avoid harm to RiskMeter, its customers, or other users — including no destructive actions, no exfiltration of data beyond the minimum necessary to demonstrate impact, no persistence, and no pivoting beyond the original finding
  • Do not access, store, modify, or share personal data of RiskMeter applicants, customers, or staff
  • Stop testing as soon as a vulnerability is confirmed sufficiently to report it
  • Report the issue privately to the address in Section 2 and give us a reasonable opportunity to fix it before any public disclosure
  • Do not violate any applicable law or these Terms

If you are uncertain whether your planned testing falls within this safe harbor, please contact us first at security@riskmetercybersecurity.com and we will discuss it in good faith.

This policy does not authorize testing against any system other than those listed in Section 1, and it does not waive third-party claims or claims arising from activity outside the safe-harbor scope.

5. Recognition

If you would like to be credited for a valid finding, let us know in your report. Once a fix is in place, we are happy to publish a thank-you with the name or handle you specify, and a brief description of the issue if both parties agree it is appropriate to share.

We do not currently offer monetary rewards (a bug bounty), but we appreciate the work of researchers who help us keep RiskMeter and our customers safe.

6. Disclosure coordination

We follow a coordinated disclosure model. Please do not publish or share details of a vulnerability before we have had a reasonable opportunity to remediate it (typically the resolution targets in Section 3). If you believe an in-scope issue presents an imminent and ongoing risk to users, contact us immediately at security@riskmetercybersecurity.com and mark the subject line with [URGENT].

7. Machine-readable security contact

Our security contact is also published in machine-readable form at /.well-known/security.txt per RFC 9116.

8. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by the “last updated” date at the top of this page.