Security

Vulnerability Disclosure Policy

Convergent takes the security of our own systems seriously. If you have discovered a vulnerability in any Convergent-operated system, we want to hear from you. This policy describes how to report it, what we commit to in response, and the protections we extend to researchers acting in good faith.

Report a vulnerability

Security Team

For vulnerability reports, security concerns, and disclosure inquiries

security@convergent.security

PGP encryption

Encrypted submission

PGP key available on request for sensitive disclosures

Request PGP key →

Safe harbor

Convergent will not pursue legal action against researchers who comply with this policy. Specifically, we will not initiate or recommend legal action under the Computer Fraud and Abuse Act, the DMCA (Section 1201), or any applicable state computer crime statute against researchers acting in good faith. This safe harbor applies when the researcher has made every reasonable effort to avoid privacy violations, disruption of services, and destruction of data.

No prosecution

We will not refer good-faith researchers to law enforcement or pursue civil action under the CFAA, DMCA, or state computer crime statutes.

Confidentiality

We will not share your personal information with third parties without your consent, except as required by law.

No NDAs required

We will not require you to sign a non-disclosure agreement as a condition of receiving our response or providing credit.

In scope

Systems covered by this policy

The following Convergent-operated systems are in scope for security research:

convergent.security and all subdomains · Sanctum platform (sanctum.convergent.security) · Convergent corporate infrastructure and APIs · Any system that processes client or employee data on behalf of Convergent

The following are explicitly out of scope:

Client systems assessed by Convergent under any engagement · Social engineering of Convergent employees or clients · Physical attacks against Convergent facilities · Denial-of-service attacks · Attacks requiring physical access to a device · Automated scanning that causes service disruption · Third-party services used by Convergent where we have no operational control

Researcher guidelines

What to do — and what not to do

Please do:

Report the vulnerability to us as soon as reasonably possible · Provide sufficient detail to reproduce the issue · Give us reasonable time to investigate and remediate before public disclosure · Use the minimum access necessary to demonstrate the vulnerability · Cease testing once you have confirmed the vulnerability exists

Please do not:

Access, modify, or delete data that does not belong to you · Disclose the vulnerability publicly before we have had a reasonable opportunity to address it · Conduct tests that could degrade or disrupt Convergent services · Use automated scanning tools in a way that generates excessive load · Demand payment or other compensation as a condition of disclosure

How to report

What to include in your report

Send your report to security@convergent.security. A complete report helps us triage and respond faster. The more detail you can provide, the better.

Vulnerability description

The type of vulnerability (e.g. XSS, SSRF, authentication bypass, SQL injection). The affected system or component. The potential impact if exploited — what an attacker could do with it.

Steps to reproduce

A clear, step-by-step description of how to reproduce the vulnerability. Include request/response examples, screenshots, or proof-of-concept code where relevant. We do not require working exploits.

Supporting material

HTTP request and response captures. Relevant screenshots or recordings. Any tools or scripts used — describe them if you would prefer not to share them directly.

Your contact details

Name or handle (anonymous reports are accepted). Contact method for follow-up questions. Whether you would like to be credited in our acknowledgement if we publish one.

Our commitments to you

When you report a vulnerability under this policy, here is what you can expect from Convergent.

3 business days

We will acknowledge receipt of your report and confirm we have received it.

30 days

Initial assessment with confirmation of scope and severity classification.

90 days

Target resolution window. We will notify you when resolved or if we need more time.

Communication

We will keep you informed throughout. We will not go silent after acknowledgement.

Credit

We will acknowledge your contribution publicly or anonymously, per your preference.

Coordinated disclosure

We support coordinated disclosure and will not publish details without your consent.

Report a vulnerability

Found something? Tell us.

We take every report seriously. A member of the Convergent security team will respond within three business days. For sensitive disclosures, request a PGP key in your initial message and we will provide one before you share details.

Security disclosures

security@convergent.security

Vulnerability reports, coordinated disclosure, and security questions about Convergent systems

Send a report →
Consent Preferences