Vulnerability Disclosure Program

We take security seriously. If you've found a vulnerability, we want to hear from you.

Scope

The following domains and assets are in scope for this program:

In Scope

goinsight.co and all subdomains
Insight web application
API endpoints under goinsight.co/api

Out of Scope

Third-party services (Spotify, Supabase infrastructure, Vercel infrastructure)
Social engineering attacks
Denial of Service (DoS/DDoS) attacks
Physical attacks
Spam or phishing

Eligible Vulnerabilities

We accept non-intrusive vulnerability reports including:

Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Open Redirect
Improper Access Control

How to Report

Send your report to security@goinsight.co. Please include:

A clear description of the vulnerability
Steps to reproduce
Potential impact assessment
Proof of Concept (PoC) if available
Screenshots or video recordings

Rules of Engagement

To ensure a productive and safe disclosure process:

Do not disrupt or degrade our services
Do not access, modify, or delete other users' data
Do not publicly disclose vulnerabilities before they are fixed
Act in good faith — test only within the defined scope
Do not use automated vulnerability scanners

Recognition & Rewards

We appreciate responsible disclosure and offer:

Public recognition on our Hall of Fame page
Recommendation on the researcher's profile
Up to $200 for critical findings
Up to $100 for high-risk findings
Public kudos for other valid findings

External Programs

You can also report vulnerabilities through our partnered platforms:

Open Bug Bounty

Non-intrusive vulnerability disclosure for XSS, CSRF, open redirects, and improper access control.

Contact

For security inquiries, reach us at:

security@goinsight.co

We aim to respond within 48 hours.

Last updated: 2026-03-20

Back to home