CoreStory Security Disclosure Policy

CoreStory takes the security of our platform and customer data seriously. If you believe you've found a security vulnerability in our systems, we want to hear from you.

Reporting

Send findings to security@corestory.ai. Include a clear description of the issue, steps to reproduce, and your assessment of potential impact. We'll acknowledge receipt within 3 business days and aim to provide an initial triage response within 10.

Scope

In scope: corestory.ai and any subdomains, our API endpoints, and our web application. Out of scope: third-party services we integrate with, social engineering attacks, volumetric denial-of-service, and findings from automated scanners submitted without analysis.

What we ask of you

Act in good faith. Don't access, modify, or exfiltrate customer data beyond what's necessary to demonstrate the vulnerability. Don't disrupt production systems. Give us reasonable time to remediate before disclosing publicly — we ask for 90 days from your initial report.

What you can expect from us

We won't pursue legal action against researchers who follow this policy. We'll keep you informed of remediation progress on confirmed findings. We don't currently operate a formal bug bounty program, but we consider discretionary recognition for significant valid findings.

Exclusions

Reports that violate this policy, contain no technical detail, or involve findings already known to us are ineligible for recognition.