Responsible disclosure

Report something to our security team

If you believe you've found a way to compromise the security of Ceven or our customers, we want to hear from you. This page lays out how to reach us and the commitments we make to researchers who report in good faith.

How to report

Email security@ceven.io with a proof of concept, reproduction steps, and the impact you observed. Our security team monitors this address continuously; we acknowledge every report within two business days. If you don't hear back, resend — it means we didn't see it.

If the issue is actively being exploited or you need to discuss something time-sensitive, put URGENT in the subject line. We route urgent mail to an on-call pager.

The machine-readable version of this policy lives at /.well-known/security.txt per RFC 9116.

What we commit to

If you report a vulnerability in good faith under this policy:

• We acknowledge your report within two business days.
• We give you a triage and severity assessment within five business days.
• We'll keep you updated through the fix.
• We will not take legal action against you or request disciplinary action by your employer, provided you followed this policy and didn't access or disclose customer data beyond what was necessary to prove the issue.
• We'll credit you on this page (with your permission) once the issue is fixed.

More on our security posture

See the Trust page for our broader security posture. For customer compliance requests, email compliance@ceven.io.

Last reviewed: April 20, 2026. Policy expires April 20, 2027 — watch this page or check security.txt for the current version.