Vulnerability Disclosure Policy

Last updated September 5, 2025

Introduction

At Pylon, we take the security of our platform and our customers' data seriously. We appreciate the work of security researchers and welcome responsible disclosure of potential vulnerabilities.

1. Reporting a Vulnerability

Think you've found a security vulnerability? Please report it to: vulnerability-disclosure@usepylon.com

2. Program Guidelines

2.1 Scope & Safe Harbor

  • We welcome security research on all internet-facing Pylon assets
  • All internet-facing assets are in scope, including but not limited to:
    api.usepylon.com
    app.usepylon.com
    graph.usepylon.com
    widget.usepylon.com
  • We provide safe harbor from the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) for all good faith security research
  • We permit responsible disclosure of vulnerability findings, provided that such disclosure does not violate the confidentiality of our customers' data

2.2 Out of Scope

  • Denial of Service (DoS/DDoS) attacks
  • Social engineering of Pylon employees or customers
  • Physical security testing
  • Automated scanning without manual validation
  • Issues in third-party services not directly controlled by Pylon

2.3 What We Need From You

  • Detailed vulnerability description including the specific product, URL, and parameter affected
  • Clear reproduction steps that allow our security team to validate the finding
  • Impact assessment explaining the potential security implications
  • Proof-of-concept (if possible) demonstrating the vulnerability without causing harm
  • Your contact information for any follow-up questions

2.4 Response Expectations

Due to the volume of reports we receive, please note:

We prioritize reports based on severity and impact to our customers.

We cannot respond to all submissions, particularly those that:
- Do not follow our disclosure guidelines
- Contain unvalidated vulnerabilities (except where validation would cause harm)
- Report low-value findings commonly identified by automated scanners (e.g., SPF/DMARC records, TLS cipher suites)
- Rely solely on brute force attacks or social engineering
- Are duplicates of previously reported issues

2.5 Good Faith Guidelines

When conducting security research, please:
- Make every effort to avoid privacy violations and disruption to our services
- Only interact with your own accounts or test accounts for security research
- Do not access, modify, or delete customer dataStop testing and report immediately if you encounter customer data
- Do not perform actions that could harm the reliability or integrity of our services

2.6 Recognition

While we don't currently offer a paid bug bounty program, we deeply appreciate the security community's contributions to keeping Pylon secure. We're happy to acknowledge researchers who report valid security issues (with your permission).

Want faster, smarter customer support?

See how Pylon cuts the busywork and brings your support teams into one place.