← InsureCheck

Security

Vulnerability Disclosure Policy

Reporting a Vulnerability

InsureCheck takes the security of our platform seriously. If you believe you have discovered a security vulnerability in our systems, please report it responsibly to:

security@insurecheck.io

Please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any supporting evidence (screenshots, HTTP requests/responses)
  • Your contact information for follow-up

Response Timeline

AcknowledgmentWithin 3 business days
Triage and assessmentWithin 10 business days
Status updateEvery 30 days until resolved
Resolution (critical)Target within 14 days of confirmation
Resolution (high)Target within 30 days of confirmation
Resolution (medium/low)Target within 90 days of confirmation

Scope

The following systems are in scope for security research:

  • app.insurecheck.io — Customer portal
  • ops.insurecheck.io — Operations portal
  • insurecheck.io — Marketing site
  • The InsureCheck API

The following are out of scope:

  • Denial of service (DoS/DDoS) attacks
  • Social engineering attacks targeting InsureCheck employees or customers
  • Physical security attacks
  • Attacks requiring physical access to user devices
  • Vulnerabilities in third-party services not under InsureCheck control
  • Findings from automated scanner output without evidence of exploitability

Safe Harbor

InsureCheck will not pursue legal action against security researchers who:

  • Report vulnerabilities in good faith through this policy
  • Do not access, modify, or delete customer data beyond what is necessary to demonstrate the vulnerability
  • Do not disclose the vulnerability publicly before it has been resolved
  • Do not perform testing that degrades the availability or performance of our services

We ask that you give us reasonable time to remediate before any public disclosure, and that you coordinate disclosure with us.

Our Security Practices

InsureCheck maintains the following security practices:

  • Regular internal security audits (two completed as of March 2026)
  • Nonce-based Content Security Policy eliminating unsafe-inline script execution
  • HTTPS enforced with HSTS (max-age=31536000; includeSubDomains; preload)
  • Multi-tenant data isolation enforced at the application layer
  • JWT-based authentication with Redis-backed token blacklisting
  • Rate limiting on all authentication endpoints
  • Infrastructure: AWS private VPC, no publicly accessible database, SSM-only bastion access
  • Automated security header validation in CI/CD pipeline
Terms of ServicePrivacy Policyinsurecheck.io