Coordinated Vulnerability Disclosure Policy
72-hour acknowledgment. 7-day triage. 30-day fix for high-severity. 90-day coordinated disclosure. Safe harbor for good-faith researchers.
Lives here because it's a contractual / sales-engineering artefact and travels with customer-facing diligence packages.
Our commitment
Colby's Data Movers commits to:
- Acknowledge a vulnerability report within 72 hours of receipt.
- Triage within 7 days — accept, reject, or request more info.
- Remediate or mitigate within 30 days for high-severity findings; within 90 days for medium-severity findings.
- Coordinate disclosure with the reporter — we will not name them without consent, and we will not publish details until a fix has shipped and customers have had reasonable time to upgrade.
How to report
- Email: security@colbysdatamovers.com (or tyler@colbysdatamovers.com while that mailbox is being set up).
- GPG key: published at the well-known security endpoint (
https://colbysdatamovers.com/.well-known/security/pubkey.asc). - Do not open public GitHub issues for security findings.
Safe harbor
Good-faith security research is welcome and we will not pursue legal action when:
- You report the finding directly to us before disclosing it elsewhere.
- You do not access, modify, or destroy customer data.
- You do not pivot — research targets are the Pathfinder binary, the MCP server, and the connector SDK. Customer SaaS endpoints are out of scope.
- You respect the response timelines above and do not publicly disclose before the coordinated window closes.
Out of scope
- Vulnerabilities in third-party SaaS endpoints Pathfinder connects to (report those to the affected vendor).
- macOS / Apple notarisation issues — report to Apple.
- Vulnerabilities that require physical or local administrative access to a device you already control.
- Social engineering of CDM staff.
Severity guidance
| Severity | Examples |
|---|---|
| Critical | Remote code execution; unauthorised access to customer SaaS credentials; audit-chain forgery |
| High | Local privilege escalation; cross-workspace leak; bypass of the base-URL allow-list |
| Medium | Logging that records secrets; broken capability scoping |
| Low | Information disclosure that requires already being root on the device |
Public credits
After a fix ships, we'll publish a brief acknowledgment in CHANGELOG.md and on https://colbysdatamovers.com/security/credits (when that page lands). Reporters may opt out of public credit; we'll respect that.
SLA exceptions
If a critical finding requires coordinated disclosure with an upstream vendor (e.g. a vulnerability in rustls), the timeline becomes joint with that vendor's response.
Version history
| Version | Date | Change |
|---|---|---|
| 1.0 | 2026-06-18 | Initial publication |
Have procurement questions?
Email security@colbysdatamovers.com or book a discovery call.
Book a discovery call →