SBIC Platform
Log inSign up
Legal & Security

Security disclosure

Effective May 1, 2026

We take the security of the SBIC Platform seriously. If you believe you have found a vulnerability, please report it through the channel below. The machine-readable equivalent of this page is available at /.well-known/security.txt per RFC 9116.

01Reporting a vulnerability

Primary contact
[email protected]
Backup
+1 703-585-0041

Please include:

  • A description of the issue and its impact.
  • Steps to reproduce, including any proof-of-concept request or payload.
  • Your name or handle (for credit), and how you would like to be reached.

If your report contains sensitive details, you may request a PGP key in your first email and we will respond out-of-band.

02Our commitments

  • Acknowledgement within 48 hours. We will confirm receipt of your report within two business days.
  • Status updates at least every 7 days until the issue is resolved or formally closed.
  • Credit, on request. We will publicly thank researchers who report valid issues, unless they prefer to remain anonymous.
  • Coordinated disclosure. We ask researchers to give us a reasonable remediation window before publishing details. Standard window is 90 days but we will negotiate in good faith.

03Scope

In scope:

  • The production application at https://sbicdata.com (and the sbic-platform.vercel.app preview origin).
  • The HTTP API surface (/api/*).
  • The authentication flow (Supabase Auth).
  • The anonymization guarantees of the cross-firm aggregate views and RPCs (e.g. aggregate_metric, deal_comp_search). De-anonymization issues are considered high severity.

Out of scope:

  • Third-party services we depend on (Vercel, Supabase, Anthropic). Please report those to the respective vendor.
  • Reports requiring physical access to a user's device, social engineering, or that depend on outdated browsers or unsupported configurations.
  • Findings on staging URLs or PR-preview deploys unless they reproduce in production.
  • Denial-of-service tests against the production application. Please do not run these, contact us first if you have a concern.

04What is not a vulnerability

  • The demo personas (/api/demo-login) intentionally allow public sign-in as pre-seeded read-only gp, lp, or analyst accounts. Admin is not a demo persona.
  • Aggregate metrics with cohort sizes ≥ 5 are an intentional product feature. Reports about an aggregate "exposing data" are only in scope if the cohort guard can be bypassed or if the aggregates support practical re-identification.
  • Best-practice recommendations without a demonstrable issue (e.g. "you should use header X").

05Bug bounty

We do not currently offer a paid bug bounty. We do credit researchers who report valid issues, where requested.

06Hall of fame

Coming soon. Be the first.