Back to Home

Sandstone Security & Vulnerability Disclosure Policy

Overview

At Sandstone, security is a core part of how we design, build, and operate our platform. We are committed to protecting customer data and maintaining a secure environment across all of our services.
We welcome responsible disclosure of security issues and appreciate the efforts of security researchers who help us maintain the safety and reliability of our platform.

Reporting a Vulnerability

If you believe you have discovered a security issue, please contact us at:

Email: security@sandstone.ai

When reporting, please include:

  • A description of the issue
  • Steps to reproduce
  • Any relevant logs, screenshots, or proof-of-concept
  • Your contact information

We request that you avoid publicly disclosing the issue until we have had a chance to investigate and resolve it.

Our Commitment

When you report a vulnerability in good faith:

  • We will acknowledge your submission within 72 hours.
  • We will provide updates as we investigate and remediate the issue.
  • We will notify you when the issue has been resolved.
  • We will not pursue legal action for good-faith research and responsible disclosure (“safe harbor”).

Scope

This policy applies to all Sandstone-owned systems, applications, and services, including but not limited to:

  • sandstone.ai
  • app.sandstone.ai
  • Sandstone APIs
  • Sandstone integrations and plugins

If you are unsure whether something is in scope, please reach out — we are happy to clarify.

Out of Scope

The following types of findings are generally not considered security vulnerabilities:

  • Reports based on out-of-date browsers or operating systems
  • Missing DNS records (e.g., SPF/DMARC recommendations)
  • Rate-limiting concerns without demonstrable impact
  • Clickjacking on pages without sensitive actions
  • Social engineering or phishing attempts
  • Attacks requiring physical access to devices

If you’re unsure whether an issue qualifies, feel free to report it anyway — we review all submissions.

Safe Harbor

Sandstone supports safe, responsible security research.
We will not initiate legal action against researchers who:

  • Act in good faith
  • Avoid causing harm, privacy violations, or service disruption
  • Do not access or modify customer data
  • Follow responsible disclosure guidelines and give us reasonable time to remediate

Bug Bounty Program

Sandstone does not currently operate a paid bug bounty program.
However, we appreciate and value the efforts of the security community and may introduce a formal bounty program in the future.