Vulnerability Disclosure Policy
Effective May 2026. Spectra welcomes good-faith security research and encourages responsible disclosure of vulnerabilities in our services.
Scope
This policy covers Spectra-operated services including the Personal and Enterprise cloud backends, the public ingestion API, and the landing pages at spectrawatcher.cloud.
Out of scope
- Third-party services, dependencies, or infrastructure not operated by Spectra.
- Denial-of-service attacks or tests that degrade service availability.
- Social engineering of Spectra staff or customers.
- Physical access attacks.
How to report
Send a report to security@spectrawatcher.cloud. Include a description of the vulnerability, reproduction steps, affected component, and your assessment of potential impact.
Response timeline
Spectra acknowledges receipt within 3 business days. We aim to triage and provide an initial assessment within 10 business days. We will keep you informed of remediation progress and notify you when the issue is resolved.
Safe harbour
Spectra will not pursue legal action against researchers who discover and report security vulnerabilities in good faith, provided testing is limited to the in-scope services above, does not harm users or degrade service availability, and findings are disclosed to us before public publication.
Coordinated disclosure
Spectra follows a coordinated disclosure model. We ask that you allow reasonable time for remediation before publishing details of the vulnerability. We will work with you to agree a disclosure timeline.