Skip to main content

Security

Security Policy.

How to report security vulnerabilities to CheckUpstream. Scope, response timelines, and safe harbor.

Last updated: April 2026

1. Reporting a Vulnerability

If you discover a security vulnerability in CheckUpstream, please report it responsibly. Email [email protected] with a description of the issue, steps to reproduce, and any supporting evidence (screenshots, proof-of-concept code, etc.).

Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to address it.

2. Scope

The following assets are in scope for security reports:

  • Web application — checkupstream.com and all subdomains.
  • SDKs — all official CheckUpstream SDK packages (TypeScript, Python, Go, PHP, Ruby, Rust, Java, .NET).
  • API — the CheckUpstream REST API.
  • CLI — the @checkupstream/cli package.

The following are out of scope:

  • Social engineering — phishing, pretexting, or other attacks targeting people rather than systems.
  • Denial of service — volumetric or resource-exhaustion attacks.
  • Third-party services — vulnerabilities in services we use but do not control.
  • Spam or rate-limit abuse — unless it leads to a meaningful security impact.

3. Response Timeline

We take every report seriously and commit to the following response timeline:

  • Acknowledgment — within 48 hours of receiving your report.
  • Triage — within 1 week we will assess severity and confirm whether the issue is valid.
  • Fix — we aim to resolve confirmed vulnerabilities within 90 days, depending on complexity. Critical issues are prioritised for faster resolution.

We will keep you informed of our progress throughout the process.

4. Recognition

We appreciate the work of security researchers who help keep CheckUpstream safe. With your permission, we will publicly credit you for any confirmed vulnerability you report. If you prefer to remain anonymous, we will respect that.

5. Safe Harbor

We consider good-faith security research to be authorised conduct. We will not pursue legal action against researchers who:

  • Act in good faith to avoid privacy violations, data destruction, and service disruption.
  • Only interact with accounts they own or have explicit permission to test.
  • Report vulnerabilities through the process described above.
  • Do not exploit a vulnerability beyond what is necessary to demonstrate it.

If legal action is initiated by a third party against you for activities conducted under this policy, we will take steps to make it known that your actions were authorised by us.

6. Contact

For any security questions or to report a vulnerability, email [email protected].