CodeSignal supports coordinated disclosure and appreciates reports of potential security vulnerabilities from security researchers and others acting in good faith. If you discover a security issue, please report it to us in accordance with this policy.

This document outlines the process, expectations, and rules for coordinated vulnerability disclosure.

Our intent is to include CodeSignal-owned infrastructure and services in scope, with certain practical restrictions to protect our users and comply with legal requirements.

• CodeSignal-owned web applications, APIs, and services.
• Any infrastructure or platform that is directly operated and managed by CodeSignal.

• Do not perform automated or high-volume scans without prior approval.
• Do not attempt Denial of Service (DoS), brute force, or resource exhaustion attacks.
• Testing must be non-destructive, manual, and must neither affect service availability nor compromise user data or privacy.
• If you believe automated testing is necessary, contact us first and obtain explicit written permission before proceeding.

The following are strictly out of scope:

• Customer-owned integrations, customer data, or infrastructure not owned by CodeSignal.
• Third-party platforms or services (e.g., GitHub, Slack, Google Workspace).
• Physical security testing (e.g., attempts to gain unauthorized physical access to offices).
• Social engineering or phishing attacks targeting CodeSignal employees, customers, or partners.
• Attacks or actions that may cause harm to individuals, including psychological or reputational harm.
• Denial of Service (DoS) or resource exhaustion attempts.

Although we still appreciate responsible disclosures, we will not consider issues related to outdated libraries, TLS, or HTTP headers a priority without proven impact.

• Acknowledgment: We will strive to acknowledge receipt of your report in a timely manner and let you know if it is determined to be a valid security issue.
• Triage & Updates: If we verify that you have identified a valid security issue, we may provide additional updates at our discretion.
• Remediation: We will strive to remediate verified vulnerabilities within industry standard timelines.

• Please limit your testing to methods described in this policy.
• Cease testing immediately and report to us if you encounter Personally Identifiable Information (PII) or any other sensitive or customer data.
• Contact us only via the official channels described in this policy. Do not harass or approach individuals associated with CodeSignal.
• Provide a clear, concise write-up that includes instructions for reproducing your findings, along with any other information helpful for assessing likelihood and impact of exploitation.
• Avoid sharing any secrets, PII, or other sensitive information in your disclosure report unless explicitly requested by us.
• Do not share details of the vulnerability with third parties or the public until we have confirmed remediation or agreed in writing to disclosure.
• Please coordinate public disclosure or publication with us to avoid miscommunication or exploitation and to allow reasonable time for remediation.

We do not operate a formal bug bounty program at this time. Rewards or recognition may be provided at CodeSignal's sole discretion.

Please contact us via email: security@codesignal.com.

To support and protect security research and vulnerability disclosures done in good faith, CodeSignal has adopted Gold Standard Safe Harbor.

Gold Standard Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service ("TOS") and/or Acceptable Use Policies ("AUP") that conflicts with the standard for Good Faith Security Research outlined here.

This means that, for activity conducted while this program is active, we:

• Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and,
• Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.

You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our policy.

Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.

We may update this policy at any time. Please review this page before beginning research.