Responsible Disclosure

How to report an issue

Please report potential security concerns by email with as much detail as possible, including:

• A clear description of the issue and its potential impact
• Steps to reproduce, including any required preconditions
• Affected URLs, endpoints, or platform areas
• Any relevant screenshots, logs, or proof-of-concept artifacts

If a finding involves sensitive data, please describe what you observed without including the underlying data in your report. We will follow up to coordinate any further details needed.

Scope

This program covers vulnerabilities in the Patterned platform itself — our public-facing web applications and APIs, authentication and access-control flows, and data-handling paths under our direct control.

The following are generally out of scope, and reports about them are unlikely to result in action unless they demonstrate a concrete impact on Patterned users or data:

• Vulnerabilities in third-party services we use (please report those to the third party directly)
• Denial-of-service attacks, load testing, or any testing that degrades the experience for real users
• Social engineering of our team, partners, or customers
• Physical attacks against our offices, staff, or infrastructure
• Findings produced solely by automated scanners without a demonstrated impact
• Reports about missing best-practice headers or configuration recommendations without an exploit path

Our commitment

When you report a valid issue in good faith, we will:

• Acknowledge your report in a timely manner
• Investigate and validate the issue, and triage by severity
• Take reasonable steps to remediate verified issues on a schedule appropriate to the risk
• Communicate during the resolution process and notify you when the issue is addressed
• Credit researchers who request it, where it is responsible to do so

Expectations

To keep this program useful and safe for everyone, we ask that you:

• Do not exploit or misuse a finding beyond what is necessary to demonstrate the concern
• Do not access, modify, or retain data beyond the minimum needed to confirm the issue, and delete any such data once your report is filed
• Avoid privacy violations, service disruption, and any destructive testing
• Do not publicly disclose the issue before we have had a reasonable opportunity to address it
• Comply with applicable laws while testing

We appreciate the work researchers do to help keep the platform secure.

Safe harbor

Patterned will not pursue legal action against security researchers who act in good faith and comply with this policy, including the scope and expectations described above. We consider activities conducted consistent with this policy to be authorized access to the Patterned platform.

If a third party (such as a hosting provider or law-enforcement authority) brings legal action against you because of activity that complied with this policy, we will make a reasonable effort to make clear that your activity was authorized. This policy does not authorize action that is unlawful or that affects systems not owned by Patterned.