Skip to main content
Intentra

Responsible Disclosure Policy

Version 1.0 — Effective February 14, 2026

Intentra values the work of security researchers and the broader security community. If you believe you have found a security vulnerability in our platform, we encourage you to report it responsibly.

1. Scope

In Scope

  • intentra.sh — Web application and marketing site
  • api.intentra.sh — REST API
  • docs.intentra.sh — Documentation site
  • Intentra CLI — Command-line tool (intentra-cli)

Out of Scope

  • Third-party services (Auth0, Stripe, Vercel, AWS, PostHog, Sentry, Cloudflare)
  • Social engineering attacks against Intentra employees or users
  • Denial of service (DoS/DDoS) attacks
  • Physical security attacks
  • Automated vulnerability scanning that degrades service availability
  • Spam or phishing campaigns

2. How to Report

Send vulnerability reports to [email protected]. Please include the following in your report:

  • Description: A clear description of the vulnerability
  • Steps to Reproduce: Detailed steps to reproduce the issue
  • Impact Assessment: Your assessment of the potential impact
  • Proof of Concept: Any supporting evidence (screenshots, logs, code snippets)
  • Contact Information: How we can reach you for follow-up

For sensitive reports, you may request our PGP public key by emailing [email protected] with the subject line "PGP Key Request".

3. What to Expect

  • Acknowledgment: We will acknowledge receipt of your report within 2 business days
  • Assessment: We will provide an initial assessment of the report within 5 business days
  • Updates: We will provide regular updates on remediation progress
  • Resolution: We will notify you when the vulnerability has been resolved

We aim to resolve critical vulnerabilities within 7 days and high-severity vulnerabilities within 30 days. Timelines may vary based on complexity.

4. Safe Harbor

Intentra will not pursue legal action against security researchers who act in good faith and in accordance with this policy.

We consider security research conducted under this policy to be authorized if you:

  • Do not access, modify, or delete other users' data
  • Do not degrade service availability for other users
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate a proof of concept
  • Report findings promptly and do not disclose publicly until we have had reasonable time to remediate
  • Do not use findings for personal gain beyond recognition

We will not penalize accounts used for good-faith security research conducted under this policy.

5. Recognition

We believe in recognizing the contributions of security researchers. With your permission, we will credit researchers who report valid vulnerabilities. We do not currently offer monetary bounties but may introduce a formal bug bounty program in the future.

6. Contact

Security Reports: [email protected]

General Support: [email protected]

Security.txt: /.well-known/security.txt

Responsible Disclosure Policy - Intentra