← Back to Trust Center

Trust Artifact Version 1.0 · 2026-06-18

Coordinated Vulnerability Disclosure Policy

72-hour acknowledgment. 7-day triage. 30-day fix for high-severity. 90-day coordinated disclosure. Safe harbor for good-faith researchers.

Outward-facing copy of the policy summarised in the repository's /SECURITY.md

Lives here because it's a contractual / sales-engineering artefact and travels with customer-facing diligence packages.

Our commitment

Colby's Data Movers commits to:

  1. Acknowledge a vulnerability report within 72 hours of receipt.
  2. Triage within 7 days — accept, reject, or request more info.
  3. Remediate or mitigate within 30 days for high-severity findings; within 90 days for medium-severity findings.
  4. Coordinate disclosure with the reporter — we will not name them without consent, and we will not publish details until a fix has shipped and customers have had reasonable time to upgrade.

How to report

  • Email: security@colbysdatamovers.com (or tyler@colbysdatamovers.com while that mailbox is being set up).
  • GPG key: published at the well-known security endpoint (https://colbysdatamovers.com/.well-known/security/pubkey.asc).
  • Do not open public GitHub issues for security findings.

Safe harbor

Good-faith security research is welcome and we will not pursue legal action when:

  • You report the finding directly to us before disclosing it elsewhere.
  • You do not access, modify, or destroy customer data.
  • You do not pivot — research targets are the Pathfinder binary, the MCP server, and the connector SDK. Customer SaaS endpoints are out of scope.
  • You respect the response timelines above and do not publicly disclose before the coordinated window closes.

Out of scope

  • Vulnerabilities in third-party SaaS endpoints Pathfinder connects to (report those to the affected vendor).
  • macOS / Apple notarisation issues — report to Apple.
  • Vulnerabilities that require physical or local administrative access to a device you already control.
  • Social engineering of CDM staff.

Severity guidance

Severity Examples
Critical Remote code execution; unauthorised access to customer SaaS credentials; audit-chain forgery
High Local privilege escalation; cross-workspace leak; bypass of the base-URL allow-list
Medium Logging that records secrets; broken capability scoping
Low Information disclosure that requires already being root on the device

Public credits

After a fix ships, we'll publish a brief acknowledgment in CHANGELOG.md and on https://colbysdatamovers.com/security/credits (when that page lands). Reporters may opt out of public credit; we'll respect that.

SLA exceptions

If a critical finding requires coordinated disclosure with an upstream vendor (e.g. a vulnerability in rustls), the timeline becomes joint with that vendor's response.

Version history

Version Date Change
1.0 2026-06-18 Initial publication

Have procurement questions?

Email security@colbysdatamovers.com or book a discovery call.

Book a discovery call →