Meet Cortex AI Powered, Expertise Refined Decision EngineYour AI Optimization Engine

Vulnerability Disclosure Policy

How to report a security vulnerability to Capconvert in a way that we can act on, and the safe-harbor commitments we make to researchers who do.

Vulnerability Disclosure Policy

Capconvert, LLC. welcomes responsible disclosure of security vulnerabilities affecting capconvert.com, the Cortex product, our APIs, our integrations, and any public-facing infrastructure we operate. This policy gives security researchers a clear path to report issues to us in good faith without fear of legal action, provided they follow the rules below.

Scope

In scope:

  • capconvert.com and all subdomains
  • The Cortex application, API endpoints, chat surfaces
  • The Capconvert PM dashboard and per-client preview URLs
  • Authentication, authorization, account-management flows
  • Server-side bugs that could expose Customer Data, cross-account data leakage, or escalation of privilege
  • Third-party connector misuse (Google Search Console, Google Analytics, Google Ads, Meta Ads, Ahrefs) that could expose another customer’s data

Out of scope:

  • Third-party services we use (report to those providers directly: Vercel, Neon, Cloudflare, AWS, Anthropic, OpenAI, Google, Stripe, etc.)
  • Theoretical issues without a working proof-of-concept (clickjacking on pages without sensitive actions, missing security headers without demonstrated impact, SPF/DKIM on non-mail subdomains, etc.)
  • Denial-of-service or volumetric testing of any kind
  • Social engineering of Capconvert employees, customers, or contractors
  • Physical attacks against offices or staff
  • Reports generated by automated scanners without manual validation

Safe Harbor

Capconvert will not pursue legal action under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, or equivalent statutes against researchers who:

  • act in good faith and with no intent to harm;
  • test only against assets they own or are explicitly authorized to test (do NOT test against another customer’s account or data);
  • avoid privacy violations, data destruction, or interference with other users;
  • stop testing and report the issue as soon as a vulnerability is confirmed (do NOT pivot, escalate, or exfiltrate further);
  • do not publicly disclose the vulnerability before Capconvert has had a reasonable opportunity to remediate (see Coordinated Disclosure below);
  • do not violate any applicable law in the course of testing.

How to Report

Send reports to:

help@capconvert.com with subject line “Security Vulnerability Report.”

A good report includes:

  • a clear description of the vulnerability;
  • the URL or endpoint affected;
  • step-by-step reproduction with HTTP request, payload, or screenshot;
  • impact assessment (what an attacker could do);
  • your name or handle for credit (or a request for anonymous credit);
  • any suggestions for remediation (optional but appreciated).

What We Do When We Receive a Report

  • Acknowledge. We acknowledge receipt within three business days.
  • Triage. We assign a severity (critical / high / medium / low / informational) and an internal owner. Critical and high issues are worked on continuously until resolved.
  • Communicate. We share status updates at meaningful milestones (validated, fix in development, fix deployed, retested).
  • Remediate. Target remediation times by severity: critical 1-3 days, high 7 days, medium 30 days, low 90 days. Where a fix takes longer because of architectural change or third-party dependency, we share the timeline.
  • Credit. With your permission, we list your name or handle on the Capconvert security acknowledgements page after the issue is resolved.

Rewards

Capconvert does not currently run a public bug bounty program. We may, at our discretion, offer a one-time monetary reward for high-quality reports that materially improve the security posture. Rewards, when offered, are sized by severity, novelty, and clarity of the report.

Coordinated Disclosure

We support coordinated disclosure. Once a vulnerability has been remediated, you may publicly discuss your finding, share technical details, and reference Capconvert’s acknowledgement. Where you wish to publish, share a draft of your write-up with us before publication so we can confirm the technical accuracy and the timing.

If 90 days have passed since your report and we have not communicated a clear remediation plan, you may publish in accordance with the disclosure norms of your choice. We’d prefer you check in with us first.

Last updated: May 26, 2026