Vulnerability Disclosure

Indigo welcomes reports from security researchers and customers who discover potential vulnerabilities in HQ. This page explains how to report an issue, what is in scope, and what you can expect from us.

How to report

Email security@getindigo.ai with:

• A description of the issue and its potential impact.
• Step-by-step reproduction details (proof-of-concept, affected URL/endpoint/app, request/response samples).
• Any relevant logs, screenshots, or recordings.
• How you would like to be credited (optional).

If you need to send sensitive details, request our PGP key in your first message and we will provide an encrypted channel.

Our commitment to you (safe harbor)

If you make a good-faith effort to comply with this policy during your research, Indigo will:

• Consider your research authorized and will not pursue or support legal action against you for it.
• Work with you to understand and resolve the issue promptly.
• Recognize your contribution (with your permission) once the issue is resolved.

This safe harbor applies only to the scope and rules below.

Rules of engagement

Please do:

• Test only against your own account/organization and data.
• Stop immediately if you encounter another customer’s data, and report it.
• Give us reasonable time to remediate before any public disclosure (see timelines).

Please do not:

• Access, modify, or delete data that is not yours.
• Run attacks that degrade service availability (denial-of-service, volumetric, or load testing).
• Use social engineering, phishing, or physical attacks against Indigo staff, customers, or facilities.
• Exfiltrate data, or retain any data you incidentally access — delete it and tell us.
• Publicly disclose the issue before we have remediated it and agreed on timing.

Scope

In scope: the HQ platform and services operated by Indigo, including the HQ Cloud API, the vault/sync services, and Indigo-published desktop applications (HQ Sync, HQ Installer).

Out of scope:

• Third-party services and subprocessors (report those to the respective provider; see Subprocessors).
• Findings that require a compromised device, a malicious local user, or a man-in-the-middle on the victim’s own network.
• Missing security headers, rate-limit nuances, or best-practice suggestions without a demonstrated, concrete impact.
• Issues in customer-controlled configuration (your IdP/MFA settings, your connected-tool credentials) — see Shared Responsibility.
• Reports generated solely by automated scanners without a validated, exploitable finding.

What you can expect from us (target timelines)

Stage	Target
Acknowledge receipt	Within 3 business days
Initial triage & severity assessment	Within 10 business days
Status updates	At least every 14 days until resolution
Remediation	Prioritized by severity; critical issues addressed as quickly as practicable

These are good-faith targets, not contractual SLAs, and may vary with complexity.

Disclosure

We support coordinated disclosure. Once an issue is remediated, we are happy to coordinate public acknowledgment and credit. Please obtain our agreement on timing before publishing.

Machine-readable contact

Indigo intends to publish a security.txt file (per RFC 9116) at the HQ web domains’ /.well-known/security.txt referencing security@getindigo.ai. (Roadmap item — see Compliance Roadmap.)

Note

This policy is provided in good faith and may be updated; the version published by Indigo is the current one.