Report a Security Vulnerability
SprintHive welcomes good-faith reports of security vulnerabilities affecting SprintHive systems, services, applications, APIs, and websites.
If you believe you have found a security issue, please report it using the form below.
[Security report form]
What to Include
Please include as much of the following as possible:
-
Affected URL, system, API, or service
-
Description of the issue
-
Steps to reproduce
-
Potential impact
-
Screenshots, request/response samples, or logs where helpful
-
Your contact details so we can follow up
Please do not include unnecessary personal information, customer data, secrets, credentials, or production data in your report.
Good-Faith Research
We ask that you:
-
Avoid accessing, modifying, deleting, or exfiltrating data that is not yours
-
Stop testing and report promptly if you encounter personal information, customer data, credentials, or secrets
-
Avoid service disruption, denial-of-service testing, spam, social engineering, phishing, and physical attacks
-
Use your own accounts and test data where possible
-
Keep vulnerability details confidential until SprintHive has had a reasonable opportunity to investigate and remediate
Our Process
We aim to acknowledge valid security reports within 2 business days.
We will review the report, assess impact, and may contact you for additional detail. Remediation timelines depend on severity, exploitability, affected systems, and customer impact.
Scope
This disclosure process is intended for security vulnerabilities in SprintHive-managed systems and services.
It is not for:
-
General support requests
-
Sales enquiries
-
Account access issues
-
Vulnerabilities in third-party systems not operated by SprintHive
-
Reports based only on automated scanner output without evidence of exploitability
Rewards
SprintHive does not currently operate a paid bug bounty programme.
Coordinated Disclosure
Please do not publicly disclose the issue until we have completed our investigation or agreed a disclosure timeline with you.