Vulnerability Disclosure Program

Last updated: May 28, 2026

1. Our Commitment to Security

SparkVault treats the confidentiality, integrity, and availability of customer data as a first-order product requirement. We design our systems to be resilient to attack, but we also recognize that no system is perfect. We welcome reports from security researchers, customers, and members of the broader community who identify potential vulnerabilities in our service.

This Vulnerability Disclosure Program ("VDP") sets out how to report a vulnerability to SparkVault, what you can expect from us in return, and the ground rules for good-faith research.

2. How to Report

Send all vulnerability reports to security@sparkvault.com. Reports should include enough detail for us to reproduce the issue and assess impact. We recommend including, at minimum:

  • A clear description of the vulnerability and its potential impact.
  • The exact URL, endpoint, or component affected.
  • Step-by-step reproduction instructions, including any payloads, scripts, or sample requests.
  • Any screenshots, logs, or proof-of-concept material that helps demonstrate the issue.
  • Your name or handle if you would like to be credited (optional).
  • Whether you have disclosed, or intend to disclose, the issue to any third party.

Sensitive proof-of-concept material may be encrypted to our PGP key on request. Email security@sparkvault.com first and we will arrange a secure channel.

3. Scope

The following SparkVault-operated assets are in scope for this program:

  • The SparkVault web application at app.sparkvault.com and the marketing site at sparkvault.com.
  • The SparkVault HTTP API at api.sparkvault.com and the associated short domains under .sv that we operate (including auth.sv, x.sv, files.sv, by.sv, and similar SparkVault-owned hosts).
  • SparkVault mobile applications distributed through official app stores.
  • First-party SparkVault SDKs and integrations published under our official organization on package registries (npm, Maven Central, etc.).

The following are out of scope and reports about them will generally not be eligible:

  • Findings against third-party services we depend on (for example AWS, Stripe, or Cloudflare). Please report those to the relevant provider directly.
  • Customer-controlled deployments, customer-owned domains routed to SparkVault, or third-party integrations not built by SparkVault.
  • Social engineering, phishing, or physical attacks against SparkVault employees, contractors, or facilities.
  • Denial-of-service, volumetric, or resource-exhaustion attacks against any environment, including non-production.
  • Missing best-practice configurations that do not directly enable an attack (for example a missing security header that does not lead to exploitable behavior).
  • Issues that require physical access to a victim's unlocked device or browser session.
  • Self-XSS, clickjacking on pages without sensitive actions, and other findings without a realistic attack path.
  • Reports generated solely by automated scanners without accompanying analysis or proof of impact.

We may, at our sole discretion, accept out-of-scope reports if they describe a serious issue.

4. Safe Harbor

SparkVault will not pursue civil or criminal action, or refer your activity for prosecution, in connection with good-faith security research that complies with this program. To qualify for safe harbor, your research must:

  • Stay within the scope described above.
  • Avoid privacy violations, destruction of data, degradation of service for other customers, and any action that would cause SparkVault or its customers measurable harm.
  • Use only your own test accounts, or accounts you have explicit permission to test against.
  • Not access, modify, or store data belonging to other SparkVault customers any more than is strictly necessary to demonstrate a vulnerability. Stop, delete any inadvertently accessed data, and report it as soon as you have a working proof of concept.
  • Give SparkVault a reasonable opportunity to investigate and remediate before any public disclosure or sharing with third parties.
  • Comply with all applicable laws.

Safe harbor applies only to actions taken in good faith. We cannot grant safe harbor against third parties whose systems or data you may interact with during research.

5. What to Expect From Us

When you submit a report to security@sparkvault.com:

  • We will acknowledge receipt of your report within a reasonable time after we receive it.
  • We will triage the report, determine whether it is in scope, and work to validate the issue.
  • We will keep you informed of meaningful progress as we investigate and remediate, where reasonable.
  • Once an issue has been resolved or mitigated, we may publish a coordinated advisory or release-note entry referencing the issue.
  • With your permission, we will credit you in any public acknowledgement.

SparkVault does not commit to specific response, triage, or remediation timelines through this program. Complex issues may take longer to resolve than straightforward ones. We will communicate honestly about timing when we can.

6. Recognition

We may, at our discretion, publicly acknowledge researchers who report valid, previously-unknown vulnerabilities through this program (for example on a hall-of-fame page or in advisory release notes). Researchers interested in monetary rewards for qualifying findings should contact security@sparkvault.com about our Bug Bounty Program.

7. Coordinated Disclosure

We ask that researchers do not publicly disclose, share with third parties, or otherwise release information about a vulnerability until we have had a reasonable opportunity to remediate it. If you intend to publish a writeup, please coordinate timing with us in advance via security@sparkvault.com. We are happy to review drafts and provide context that helps the writeup land accurately.

8. Changes to This Program

SparkVault may update this program at any time. The latest version always lives at this URL and supersedes prior versions. Material changes will be reflected by an updated "Last updated" date at the top of this page.

9. Contact

All program-related communication, including report submissions and follow-up questions, should be sent to security@sparkvault.com. We monitor that address during normal business hours.