Vulnerability Disclosure Program
Last updated: May 28, 2026
1. Our Commitment to Security
SparkVault treats the confidentiality, integrity, and availability of customer data as a first-order product requirement. We design our systems to be resilient to attack, but we also recognize that no system is perfect. We welcome reports from security researchers, customers, and members of the broader community who identify potential vulnerabilities in our service.
This Vulnerability Disclosure Program ("VDP") sets out how to report a vulnerability to SparkVault, what you can expect from us in return, and the ground rules for good-faith research.
Send all vulnerability reports to security@sparkvault.com. Reports should include enough detail for us to reproduce the issue and assess impact. We recommend including, at minimum:
Sensitive proof-of-concept material may be encrypted to our PGP key on request. Email security@sparkvault.com first and we will arrange a secure channel.
2. How to Report
The following SparkVault-operated assets are in scope for this program: The following are out of scope and reports about them will generally not be eligible: We may, at our sole discretion, accept out-of-scope reports if they describe a serious issue.3. Scope
SparkVault will not pursue civil or criminal action, or refer your activity for prosecution, in connection with good-faith security research that complies with this program. To qualify for safe harbor, your research must:
Safe harbor applies only to actions taken in good faith. We cannot grant safe harbor against third parties whose systems or data you may interact with during research.
4. Safe Harbor
When you submit a report to security@sparkvault.com:
SparkVault does not commit to specific response, triage, or remediation timelines through this program. Complex issues may take longer to resolve than straightforward ones. We will communicate honestly about timing when we can.
5. What to Expect From Us
We may, at our discretion, publicly acknowledge researchers who report valid, previously-unknown vulnerabilities through this program (for example on a hall-of-fame page or in advisory release notes). Researchers interested in monetary rewards for qualifying findings should contact security@sparkvault.com about our Bug Bounty Program.
6. Recognition
We ask that researchers do not publicly disclose, share with third parties, or otherwise release information about a vulnerability until we have had a reasonable opportunity to remediate it. If you intend to publish a writeup, please coordinate timing with us in advance via security@sparkvault.com. We are happy to review drafts and provide context that helps the writeup land accurately.
7. Coordinated Disclosure
SparkVault may update this program at any time. The latest version always lives at this URL and supersedes prior versions. Material changes will be reflected by an updated "Last updated" date at the top of this page.
8. Changes to This Program
All program-related communication, including report submissions and follow-up questions, should be sent to security@sparkvault.com. We monitor that address during normal business hours.
9. Contact