← Security overview
Security

Vulnerability Disclosure Policy

If you’ve found a security issue in the Soundcheck Insights platform, we want to know. This page explains how to tell us, what we promise back, and the safe-harbor we extend to good-faith researchers.

Last updated · June 2026 · paired with /.well-known/security.txt

How to report

Email info@soundcheckinsights.com with the subject line Security report. Include:

  • A short description of what you found.
  • Steps to reproduce (URLs, request bodies, screenshots, or a short proof-of-concept).
  • Your name or handle (so we can credit you, if you want credit).
  • How we should reach you back.

What we promise

  • Acknowledge within 1 business day. We’ll confirm we got the report and that we’re looking at it.
  • Triage within 5 business days. We’ll tell you the severity we’re assigning and a rough timeline.
  • Notify affected customers within 72 hours of a confirmed breach. Per our Incident Response Plan.
  • Credit you publicly if you want it. Acknowledgments are listed on this page below; you can also stay anonymous.
  • Coordinate disclosure timing with you. If you want to write or publish about the finding, we’ll agree a date.

Safe harbor

If you’re acting in good faith — meaning you discover and report an issue without harming our customers, our data, or the platform’s availability — we will not pursue legal action against you under the Computer Fraud and Abuse Act, the Florida Computer Crimes Act, our Terms of Service, or any other applicable statute or contractual claim.

Specifically, we authorize good-faith research that:

  • Tests for vulnerabilities on the Soundcheck platform.
  • Stops as soon as you confirm the issue and reports it to us; does not exfiltrate data beyond the minimum needed to demonstrate the issue.
  • Does not access, modify, or destroy data belonging to other Soundcheck operators or their clients.
  • Does not degrade availability for other users (no denial-of-service tests, no large-scale scanning).
  • Gives us a reasonable window to remediate before any public disclosure.

Scope

In scope: soundcheckinsights.com (marketing), soundcheck.report (platform), and the public share URLs at /share/dashboard/[slug] and /share/research/[slug]. Any Soundcheck-authored API endpoint or webhook handler is in scope.

Out of scope: findings on our sub-processors (Clerk, Vercel, Neon, Anthropic, Inngest, Tavily, Telegram) should go directly to those providers’ security teams. Cosmetic issues (typos, broken non-security links), self-XSS that requires the victim to paste code into their own console, and social engineering of Soundcheck staff are out of scope.

Acknowledgments

No researchers acknowledged yet. If you’d like to be the first, the inbox is info@soundcheckinsights.com.

Soundcheck Insights LLC · Florida, United States · © 2026