Skip Navigation
Get a Demo


Red Canary Responsible Disclosure

As your security ally, keeping our customers safe is Red Canary’s primary concern.  While we implement numerous Secure Development processes into our products, sometimes vulnerabilities escape detection and may exist in our production environment.

Red Canary appreciates the support of security researchers in the effort to quickly identify and remediate vulnerabilities in a manner that reduces the risk to all stakeholders. To encourage responsible disclosure, we ask that researchers partner with us using the following Responsible Disclosure Guidelines:

  • Comply with all applicable laws and regulations
  • Report vulnerabilities to us as quickly as reasonably possible
  • Allow Red Canary the opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue
  • Make a good faith effort to avoid privacy violations as well as destruction or interruption of our services
  • Do not modify or destroy data that does not belong to you
  • Avoid any activity that may impact the availability of Red Canary systems

As we partner with you to address reported vulnerabilities, Red Canary commits to:

  • Promptly acknowledge that your report has been received
  • Coordinate with you as openly and as quickly as possible to understand the nature of the issue
  • When it doesn’t put our stakeholders at risk, we will confirm the existence of the vulnerability and be transparent about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution
  • Maintain an open dialogue to discuss issues
  • While we appreciate reports, we do not have a formal bug bounty at this time, and do not provide financial compensation for vulnerability reports

If you believe you’ve discovered a vulnerability in Red Canary’s platform, please get in touch at We will respond as quickly as possible, and ask that you not disclose any information publicly until the issue has been addressed.

Your reports should include:

  1. Name:
  2. Email Address:
  3. Phone Number:
  4. Vulnerability Description:
  5. Vulnerability Category:
  6. Validation Steps:
  7. Vulnerability Parameters:
  8. Attack Payload:
Back to Top