Vulnerability Disclosure Program

Brief Overview

Spiro will engage with customers and security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to the Service of those who discover and report security vulnerabilities responsibly. Spiro reserves all of its legal rights in the event of any noncompliance.

How can I participate?

If you discover a security vulnerability, we encourage you to report it by following these steps: 

  1. Share the details of any suspected vulnerabilities by sending an email to vulnerability@spiro.ai. 
  2. Our Security Ops team will evaluate your report and inform you of the status of your report. 
    - Reports that carry an acceptable risk but demonstrate a valid security-related behavior will be closed as informative
    - Identical reports will be marked as “Duplicate[s]” of the original submission; the original report can be marked as (but not limited) to “Triaged”, “N/A”, or “Informative.”

Report Guidelines

 In your report, please include the following information: 

  • Vulnerable URL - the endpoint where the vulnerability occurs;
  • Vulnerable Parameter - if applicable, the parameter where the vulnerability occurs;
  • Vulnerability Type - the type of vulnerability;
  • Vulnerability Description - a detailed description of the issue
  • Steps to Reproduce - step-by-step information on how to reproduce the issue
  • Screenshots or Video - a demonstration of the attack
  • Attack Scenario - an example attack scenario may help demonstrate the risk and get your issue resolved faster