HiveKey

Product

OverviewScopeGuardLogEnforcementPlatform & gatewayIntegrations

Solutions

Security teamsPlatform engineeringCompliance & GRCPII & data protectionAI & ML teamsBy industryUse cases

Developers

DocsHow it worksAPI referenceMCP governanceMCP directory

Resources

BlogLearnGlossaryCompareComplianceTrust center

Company

AboutTeamContact
Pricing Book a demo
Security

Responsible Disclosure

Last updated: June 2026

Template / illustrative — not legal advice; final language pending counsel.

Found a vulnerability?

We take security seriously and welcome reports from researchers. Email security@hivekey.ai — or use our secure report form.

1. Our commitment

Security is core to HiveKey — we sit in the path of every agent action our customers run. We are committed to working with the security community to keep our users safe. If you report a vulnerability in good faith, we will respond promptly, keep you informed, and credit your contribution where you'd like.

2. Safe harbor

We will not pursue or support legal action against researchers who, in good faith, comply with this policy. Specifically, activity conducted under this policy is considered authorized, we will not initiate a complaint to law enforcement, and we waive any relevant restrictions in our Terms for the limited purpose of your research. If a third party brings action against you for activity that complied with this policy, we will make our authorization known. When in doubt, ask us first at security@hivekey.ai.

3. Scope

  • The HiveKey web application and dashboard.
  • hivekey.ai and its public subdomains.
  • The HiveKey API and control-plane endpoints.
  • Official HiveKey client libraries and agents.

4. Out of scope

  • Denial-of-service (DoS/DDoS) and volumetric or load testing.
  • Social engineering, phishing, or physical attacks against staff or offices.
  • Findings from automated scanners without a demonstrated, reproducible impact.
  • Missing best-practice headers with no proven exploit, and clickjacking on static pages.
  • Vulnerabilities in third-party services or our subprocessors.

Please do not access, modify, or destroy data that isn't yours; use test accounts and stop at proof of concept. Never exfiltrate customer data.

5. How to report

Send your report to security@hivekey.ai or submit our secure form. For sensitive findings, request our PGP key and we'll share an encrypted channel. Please give us reasonable time to remediate before any public disclosure — we'll coordinate timing with you.

6. What to include

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce, with affected URLs or endpoints.
  • Proof-of-concept code, requests, or screenshots where helpful.
  • Your environment (browser, tooling) and any accounts used.
  • How you'd like to be credited, if at all.

7. Our response SLAs

We aim to meet the following targets for valid in-scope reports:

Acknowledgement Within 2 business days
Triage & severity Within 5 business days
Status updates Every 7 days until resolved
Fix target (critical) Within 14 days

8. Recognition

We maintain a private hall of fame and, with your permission, will publicly acknowledge researchers whose valid reports help us improve. While we do not run a paid bounty at this time, we may offer recognition and swag for high-impact findings. Thank you for helping keep HiveKey and our customers secure.