How It Works Pricing Company

Security at strackt

If you've found a vulnerability, we want to hear about it.

Last updated April 27, 2026

We take the security of strackt and our customers' infrastructure seriously. If you've found a vulnerability, we want to hear about it.

This page describes how to report security issues to us, what we consider in scope, and what you can expect from us in return.

Reporting a vulnerability

Email [email protected].

For sensitive reports, please encrypt with our PGP key:

Fingerprint
B9E1 C515 66A6 946D C35A  EFFE E470 96FC 1FA0 D4E4
Public key
strackt.io/.well-known/pgp-key.txt

Include in your report:

  • A clear description of the vulnerability
  • Steps to reproduce, with a working proof of concept
  • The impact you believe this has
  • Any suggested remediation, if you have one

We do not currently offer monetary rewards. We credit researchers who report valid issues in our hall of fame below, with your permission. We expect to launch a paid bug bounty program after general availability — researchers who report valid issues during this disclosure-only phase will be invited to the private bounty when it opens.

What you can expect from us

  • Acknowledgment within 72 hours of your report reaching us.
  • An initial triage decision within 7 days — whether we consider the issue valid, its severity, and our intended timeline to fix.
  • Regular updates until the issue is resolved.
  • Public credit in our hall of fame once the issue is fixed and you've agreed to disclosure.
  • No legal action against you for good-faith research within the scope and rules below. See "Safe harbor" further down.

We aim to fix critical issues within 30 days, high-severity issues within 90 days, and lower-severity issues within 180 days. Complex issues may take longer; we'll tell you if so.

Scope

In scope

  • strackt.io and app.strackt.io
  • The strackt control plane API
  • The strackt CLI
  • The push-to-deploy webhook handler
  • Authentication, billing, and account management flows
  • Cross-tenant boundary violations (highest priority — see below)
  • Vulnerabilities in our control plane that could compromise customer servers we manage

Out of scope

  • Customer applications running on strackt-managed servers. These belong to our customers, not us. Report to them.
  • Direct attacks on customer servers. If you don't operate the server and it isn't a strackt-owned demo server, don't touch it. Attacks reachable through the control plane (e.g., "I made the control plane SSH into a server I don't own") are in scope and welcome.
  • Third-party services we depend on — Paddle, Bunny, Hetzner, GitHub, HashiCorp, and others. Report directly to them.
  • Our marketing site CMS, blog, and changelog
  • Denial-of-service attacks, including volumetric, application-layer, and resource exhaustion
  • Social engineering of strackt staff, contractors, customers, or vendors
  • Physical attacks against any infrastructure
  • Reports from automated scanners without a working proof of concept demonstrating real impact
  • Missing security headers without a demonstrated attack chain
  • Best-practice deviations without a concrete vulnerability (e.g., "TLS 1.2 is enabled," "cookie missing SameSite")
  • Issues requiring a rooted device, a malicious browser extension, or a compromised endpoint
  • Self-XSS, clickjacking on pages with no sensitive actions, CSRF on logout
  • Vulnerabilities in software versions older than the current production release
  • AI-generated reports without a verified, reproducible proof of concept

Highest-priority categories

We pay particular attention to:

  • Cross-tenant data or control access — any path where one tenant can read, write, or affect another tenant's resources
  • Compromise of the control plane's ability to act on customer servers — privilege escalation, secret extraction, SSH CA compromise, push-path tampering
  • Authentication and authorization bypass on the control plane
  • Secret material exposure — credentials, tokens, keys, especially those with cross-customer reach

If you find something in these categories, say so loudly in your report.

Rules of engagement

To stay within safe harbor, please:

  • Only test against accounts and resources you own
  • Do not access, modify, or exfiltrate data that does not belong to you — if you accidentally do, stop immediately and tell us
  • Do not run automated scanners against app.strackt.io without first contacting us
  • Do not perform denial-of-service testing
  • Do not use social engineering, phishing, or physical attacks
  • Give us a reasonable opportunity to fix the issue before public disclosure — we suggest 90 days from initial report, negotiable for complex issues
  • Do not extort, threaten, or pressure us for payment in exchange for not disclosing — we will not engage with reports framed this way

Safe harbor

If you make a good-faith effort to comply with this policy during your security research, we will:

  • Consider your research authorized under the Computer Fraud and Abuse Act, the EU NIS2 Directive, the Dutch Computer Crime Act, and equivalent laws in your jurisdiction
  • Not pursue or support legal action against you
  • Work with you to understand and resolve the issue quickly

If a third party initiates legal action against you for activity conducted in good faith under this policy, we will make it clear that your actions were authorized.

This safe harbor applies only to the extent we are legally able to grant it. If you are unsure whether your planned research falls within this policy, contact us at [email protected] before testing.

Coordinated disclosure

We follow a 90-day coordinated disclosure timeline by default. We're happy to negotiate this for complex issues that need more time, or to disclose sooner if a fix ships earlier and you'd like to publish.

We ask that you do not publicly disclose the issue before we've had a chance to fix it and notify affected customers.

What we don't do

  • We don't pay bounties yet. We will, after general availability.
  • We don't run a public researcher leaderboard with point scores.
  • We don't NDA researchers. Your report and our response are yours to publish, after coordinated disclosure.

Hall of fame

Be the first.

Last updated: April 27, 2026. This policy may change; the version at the time of your report applies to that report.