Vulnerability Disclosure Policy

Needle values the work of security researchers and the broader security community. If you believe you have identified a security vulnerability involving Needle’s website, platform, or hosted services, we encourage you to report it to us responsibly.

Last updated: March, 2026

This policy explains how to report potential vulnerabilities to Needle and what we ask of researchers when conducting security research.

How to Report a Vulnerability

Please send vulnerability reports to: security@needle.so

To help us investigate efficiently, please include as much of the following information as possible:

  • a clear description of the issue

  • the affected URL, feature, or system

  • steps to reproduce the issue

  • proof-of-concept code, screenshots, or logs where appropriate

  • the potential impact of the issue

  • your name or preferred contact information

  • whether you would like to be acknowledged after resolution

Our Commitment

When you submit a report in good faith and in accordance with this policy, Needle will aim to:

  • review and acknowledge receipt of your report within a reasonable timeframe

  • investigate the issue and determine appropriate remediation steps

  • work to validate and address legitimate vulnerabilities as promptly as practical

  • communicate with you, where appropriate, regarding status and resolution

Needle may prioritize response and remediation based on severity, exploitability, and impact.

Guidelines for Responsible Research

We ask that you:

  • make a good-faith effort to avoid privacy violations, data destruction, service interruption, or disruption to users

  • test only against accounts and assets you own or are explicitly authorized to test

  • provide us a reasonable opportunity to investigate and remediate before publicly disclosing a vulnerability

  • avoid accessing, downloading, modifying, or deleting data that does not belong to you

  • stop testing and notify us immediately if you encounter sensitive data belonging to another party

Prohibited Activities

Under this policy, the following activities are not authorized:

  • denial-of-service or distributed denial-of-service attacks

  • spam, phishing, or social engineering targeting Needle, our customers, or our personnel

  • physical attacks against facilities or infrastructure

  • malware deployment or destructive payloads

  • attempts to exfiltrate data belonging to Needle, our customers, or other users

  • testing that intentionally degrades service availability or performance

  • attacks against third-party providers that are outside Needle’s control

Safe Harbor

Needle will not pursue legal action against researchers for good-faith security research conducted in a manner consistent with this policy and applicable law. This statement does not grant permission to access, modify, or disclose data that you do not own, nor does it authorize testing that harms Needle, its customers, or other users.

If there is any ambiguity about whether a particular testing method is in scope, contact us before proceeding at security@needle.so.

Bug Bounty

Unless Needle explicitly states otherwise in writing, Needle does not currently offer a paid bug bounty or guaranteed compensation for vulnerability reports.

Public Disclosure

We ask that you do not publicly disclose a vulnerability until:

  • we have had a reasonable opportunity to investigate and remediate the issue, and

  • we have confirmed with you that public disclosure is appropriate

If coordinated disclosure is appropriate, we are happy to discuss timing and acknowledgment.

Contact

For vulnerability reports or security questions, contact:

security@needle.so