Security at SpecStep

Report a vulnerability

Email security@specstep.com. We acknowledge every report within 72 hours. If you believe customer data may have been exposed, put SECURITY INCIDENT in the subject line so the report routes to immediate triage.

The standards-compatible discovery file lives at /.well-known/security.txt per RFC 9116. Automated scanners and researchers can resolve the reporting path from there without visiting this page.

What’s in scope

• specstep.com and every authenticated SpecStep web surface.
• The REST API (/v1/…) and our public MCP server (/v1/mcp).
• OAuth and API-key authentication flows.
• Package generation, delivery, and download flows.
• Webhooks and external connector flows (GitHub, Notion, Confluence, Box, etc.).
• Our public documentation, status, and marketing surfaces.

What’s out of scope

• Social engineering against SpecStep employees, contractors, or customers.
• Spam, phishing simulations, and unsolicited outreach.
• Denial-of-service and load testing against any SpecStep surface.
• Physical attacks against SpecStep facilities or personnel.
• Speculative reports without a demonstrated impact.
• Issues in third-party services without a SpecStep-specific exposure (e.g., a CVE in a dependency that SpecStep doesn’t expose).

Safe harbor

Good-faith security research is welcome if you:

• Don’t destroy data, escalate to other accounts, or persist after your test.
• Don’t exfiltrate customer data, including your own — a screenshot of the data path is enough.
• Don’t disrupt service for other customers.
• Don’t publicly disclose the vulnerability before SpecStep has confirmed remediation.
• Stop testing immediately if you encounter unintended customer data, and notify us.

If you stay within these guardrails, we won’t pursue legal action and we’ll treat your report as authorized testing.

What to include in a report

• The affected URL, tool, or API endpoint.
• Reproduction steps a SpecStep engineer can follow without your environment.
• Demonstrated or estimated impact — data accessed, accounts affected, actions enabled.
• The account email or API-key prefix you used during testing.
• Screenshots or logs, where it’s safe to share them.
• Whether customer data — yours or anyone else’s — was touched during the test.

Bounty and recognition

SpecStep does not run a paid bug bounty at launch. This may change as the program matures, but we want to be upfront about the current posture rather than imply otherwise.

We acknowledge significant reports publicly when you’d like the credit — name, handle, and an optional link of your choice. Tell us in your report whether you want recognition, anonymity, or anything in between.

How we work with a report

• Acknowledgement: within 72 hours.
• Initial triage and severity assignment: within 5 business days.
• Status updates while we work: every 5 business days until remediation.
• Coordinated disclosure: aligned with you before publication.

We aim to ship fixes for High and Critical issues before the disclosure window closes. If a fix needs longer — third-party dependency, architectural rework — we’ll tell you so explicitly.

Other ways to reach us

• For account or generation help → Support.
• For partnerships, press, or pre-sales → Contact.
• For machine-readable discovery → /.well-known/security.txt.