Introduction
Theia Insights takes security seriously. This page outlines our security policy for researchers who wish to report security vulnerabilities and the scope of our vulnerability disclosure program.
Reporting a Vulnerability
If you believe you’ve found a security vulnerability in our services, we encourage you to notify us. We welcome reports from everyone, including security researchers, users, and customers.
How to Report
Please send your findings to security@theiainsights.com. Encrypt your message using our PGP key if the report contains sensitive information.
What to Include
- A detailed description of the vulnerability
- Steps to reproduce the issue
- Any potential impact
- If possible, include screenshots or videos demonstrating the vulnerability
- Any ideas for mitigation
Response Timeline
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- We request 90 days from initial report before public disclosure
- We will coordinate with you on disclosure timing
- We may request an extension for complex issues
Scope
In-Scope
Domains:
- theiainsights.com and *.theiainsights.com
Applications:
- C2U web application
- Customer-facing API services
Infrastructure:
- Customer data distribution channels (S3, SFTP, etc)
- AWS infrastructure misconfigurations within our control
Out-of-Scope
Third-Party Services:
- Authentication provider login pages (AWS Cognito)
- AWS infrastructure outside our control
- Third-party integrations and dependencies
Attack Types:
- Social engineering attacks against employees or customers
- DoS/DDoS attacks
- Physical security vulnerabilities
- Automated scanning without prior written approval
Findings:
- Theoretical vulnerabilities without proof of concept
- Missing or misconfigured security headers without demonstrated impact
- Vulnerabilities in dependencies without demonstrated exploit path
Rules of Engagement
- Make good faith efforts to avoid privacy violations, data destruction, or service interruption
- Only interact with accounts you own or have explicit permission to test
- Do not exfiltrate data beyond what is necessary to demonstrate the vulnerability
- Do not modify or delete data in our systems
Safe Harbor
We will not take legal action against researchers who:
- Make a good faith effort to comply with this policy
- Avoid intentional harm to our systems or data
- Do not publicly disclose details before we’ve had reasonable time to remediate
Eligibility
- You must be the first to report the vulnerability
- You must not be a current or former employee or contractor
- You must not reside in a country subject to trade sanctions
- You must be able to receive payment legally
Duplicate Reports
If multiple researchers report the same issue, the reward goes to the first valid report received
Rewards
We offer rewards for valid security vulnerabilities at our discretion:
| Severity | Reward |
|---|---|
| Critical | Up to $1,000 |
| Medium | Up to $500 |
| Low | Hall of Fame recognition |
Final amounts depend on severity, exploitability, report quality, and potential impact. We may increase rewards for exceptional reports.
Acknowledgments
We maintain a hall of fame to recognize researchers who have responsibly disclosed vulnerabilities. With your permission, we’ll add your name to our Acknowledgments Page.
Contact
For questions about this policy, contact security@theiainsights.com.
Last Updated: 2025-12-01