Found something? Tell us.
Eisberg's security posture depends on the security research community as much as it depends on our internal review. If you have found a vulnerability, this is how we want to hear about it — and what you can expect when you report it.
security@eisbergdata.com
The single email for vulnerability reports. PGP key available on request. We acknowledge every report within 24 hours.
What happens when you report.
1
Report
Email security@eisbergdata.com with your finding. PGP key available on request. Please do not file public issues for unfixed vulnerabilities.
2
Acknowledge
We acknowledge every report within 24 hours, in English. The first reply names the engineer triaging your finding.
3
Triage
Initial severity assessment within 3 business days. We share the working classification, planned remediation timeline, and any clarifying questions.
4
Remediate
Critical issues remediated in days, not weeks. We share the fix timeline and the post-deployment verification plan.
5
Disclose
Coordinated disclosure on a timeline that respects customer protection and researcher credit. We name reporters in the security advisory unless you prefer to remain anonymous.
Working with security researchers in good faith.
- We will not pursue legal action against researchers who report findings in good faith and follow this disclosure process.
- Testing must not access, modify, or delete other users' data.
- Testing must not degrade service availability for other users.
- Do not use automated scanners against production without coordination.
- Do not publicly disclose unfixed findings before our coordinated disclosure timeline.
What is not in scope for this program.
Findings on third-party infrastructure (cloud providers, sub-processors), denial-of-service issues that require sustained traffic, social engineering of Eisberg employees, and findings that require a compromised customer device are out of scope. If in doubt, ask us — we would rather hear about a borderline finding than miss a legitimate one.