Security
Convergent takes the security of our own systems seriously. If you have discovered a vulnerability in any Convergent-operated system, we want to hear from you. This policy describes how to report it, what we commit to in response, and the protections we extend to researchers acting in good faith.
Report a vulnerability
Security Team
For vulnerability reports, security concerns, and disclosure inquiries
security@convergent.securityPGP encryption
Encrypted submission
PGP key available on request for sensitive disclosures
Request PGP key →Convergent will not pursue legal action against researchers who comply with this policy. Specifically, we will not initiate or recommend legal action under the Computer Fraud and Abuse Act, the DMCA (Section 1201), or any applicable state computer crime statute against researchers acting in good faith. This safe harbor applies when the researcher has made every reasonable effort to avoid privacy violations, disruption of services, and destruction of data.
No prosecution
We will not refer good-faith researchers to law enforcement or pursue civil action under the CFAA, DMCA, or state computer crime statutes.
Confidentiality
We will not share your personal information with third parties without your consent, except as required by law.
No NDAs required
We will not require you to sign a non-disclosure agreement as a condition of receiving our response or providing credit.
In scope
The following Convergent-operated systems are in scope for security research:
convergent.security and all subdomains · Sanctum platform (sanctum.convergent.security) · Convergent corporate infrastructure and APIs · Any system that processes client or employee data on behalf of Convergent
The following are explicitly out of scope:
Client systems assessed by Convergent under any engagement · Social engineering of Convergent employees or clients · Physical attacks against Convergent facilities · Denial-of-service attacks · Attacks requiring physical access to a device · Automated scanning that causes service disruption · Third-party services used by Convergent where we have no operational control
Researcher guidelines
Please do:
Report the vulnerability to us as soon as reasonably possible · Provide sufficient detail to reproduce the issue · Give us reasonable time to investigate and remediate before public disclosure · Use the minimum access necessary to demonstrate the vulnerability · Cease testing once you have confirmed the vulnerability exists
Please do not:
Access, modify, or delete data that does not belong to you · Disclose the vulnerability publicly before we have had a reasonable opportunity to address it · Conduct tests that could degrade or disrupt Convergent services · Use automated scanning tools in a way that generates excessive load · Demand payment or other compensation as a condition of disclosure
How to report
Send your report to security@convergent.security. A complete report helps us triage and respond faster. The more detail you can provide, the better.
The type of vulnerability (e.g. XSS, SSRF, authentication bypass, SQL injection). The affected system or component. The potential impact if exploited — what an attacker could do with it.
A clear, step-by-step description of how to reproduce the vulnerability. Include request/response examples, screenshots, or proof-of-concept code where relevant. We do not require working exploits.
HTTP request and response captures. Relevant screenshots or recordings. Any tools or scripts used — describe them if you would prefer not to share them directly.
Name or handle (anonymous reports are accepted). Contact method for follow-up questions. Whether you would like to be credited in our acknowledgement if we publish one.
When you report a vulnerability under this policy, here is what you can expect from Convergent.
3 business days
We will acknowledge receipt of your report and confirm we have received it.
30 days
Initial assessment with confirmation of scope and severity classification.
90 days
Target resolution window. We will notify you when resolved or if we need more time.
Communication
We will keep you informed throughout. We will not go silent after acknowledgement.
Credit
We will acknowledge your contribution publicly or anonymously, per your preference.
Coordinated disclosure
We support coordinated disclosure and will not publish details without your consent.
Report a vulnerability
We take every report seriously. A member of the Convergent security team will respond within three business days. For sensitive disclosures, request a PGP key in your initial message and we will provide one before you share details.
Security disclosures
security@convergent.security
Vulnerability reports, coordinated disclosure, and security questions about Convergent systems
Send a report →