Security & Vulnerability Disclosure Policy

We value the security community and believe that responsible disclosure is essential for keeping our users and services safe.

Our Commitment

iSpy Connect is committed to ensuring the safety and security of our customers and their data. We encourage the security community to help us by identifying and reporting potential vulnerabilities. We will make every effort to acknowledge your contributions and address valid reports in a timely manner.

How to Report a Vulnerability

If you believe you have discovered a security vulnerability in one of our services, please report it to us by email. Provide sufficient detail to allow us to reproduce the issue.

Email Your Report

Our Policy & Rewards

  • We will provide a timely response, acknowledging receipt of your report (typically within 3 business days).
  • We will investigate the report and determine the severity and impact of the issue.
  • We will keep you informed of our progress as we work to remediate the vulnerability.
  • We do not offer monetary bounties for unsolicited reports at this time.
  • For valid reports, we are happy to provide public acknowledgment and credit on our Hall of Fame page, with your permission.

Safe Harbor

We consider security research and vulnerability disclosure activities conducted under this policy to be authorized. We will not pursue civil or criminal action, or send a notice from our lawyers, for activities conducted in accordance with this policy. To the extent your activities are inconsistent with this policy, you may be subject to legal action.

Scope

This policy applies to the following services and domains:

  • www.ispyconnect.com
  • ispyconnect.com
  • Our publicly available desktop and mobile applications

Out of Scope

The following are considered out of scope and should not be reported:

  • Findings from automated scanners without a demonstrated proof-of-concept.
  • Missing email security records SPF, DKIM DMARC
  • Missing security headers or "best practices" that do not lead to a direct vulnerability (e.g., missing HSTS, insecure cookie flags on non-sensitive cookies).
  • Denial of Service (DoS or DDoS) attacks.
  • Social engineering, phishing, or physical attacks.
  • Publicly known software version numbers without a proof-of-concept for a vulnerability.
Last Updated: August 6, 2025