Responsible disclosure

Report something to our security team

Ceven runs procurement workflows for companies that trust us with their vendor data, employee records, and financial history. If you believe you've found a way to compromise any of that, we want to hear from you. This page lays out the scope we treat as valid, the promises we make to researchers who report in good faith, and how to reach us.

How to report

Email security@ceven.io with a proof of concept, reproduction steps, and the impact you observed. Our security team monitors this address continuously; we acknowledge every report within two business days. If you don't hear back, resend — it means we didn't see it.

If the issue is actively being exploited or you need to discuss something time-sensitive, put URGENT in the subject line. We route urgent mail to an on-call pager.

The machine-readable version of this policy lives at /.well-known/security.txt per RFC 9116.

Scope

The following assets are in scope:

• api.siftcost.com and every subpath
• ceven.io and every subdomain we operate
• Our published mobile and web clients
• Subprocessors are in scope only insofar as a misconfiguration on our side exposes customer data — vulnerabilities in Stripe, Cloudflare, or similar belong to those vendors.

The following are out of scope. Reports on these will be closed as informational:

• Social engineering of Ceven employees or customers
• Denial-of-service testing without written permission
• Physical attacks against our facilities or hardware
• Missing security headers on static marketing pages that serve no authenticated content
• Self-XSS, clickjacking on pages with no sensitive actions, or CSRF on logout-style idempotent endpoints
• Reports from automated scanners without a working reproduction
• Issues in third-party software unless we are responsible for the misconfiguration

What we commit to

If you report a vulnerability in good faith under this policy:

• We acknowledge your report within two business days.
• We give you a triage and severity assessment within five business days.
• We fix critical issues the same day, high issues within 48 hours, and medium issues within two weeks. We'll keep you updated through the fix.
• We will not take legal action against you or request disciplinary action by your employer, provided you followed this policy and didn't access or disclose customer data beyond what was necessary to prove the issue.
• We'll credit you on this page (with your permission) once the issue is fixed.

What we ask of you

• Only test against accounts you own or have explicit permission to test.
• Do not access, modify, or delete customer data beyond what's required to demonstrate the vulnerability. If you accidentally hit real data, stop, report, and we'll work with you to purge it.
• Avoid automated scanning that could degrade service for legitimate users.
• Give us a reasonable window to fix before disclosing publicly — typically 90 days, shorter if we've agreed to an earlier date in writing.
• Do not demand payment as a condition of disclosure. We do not currently run a bug bounty program, but we recognize researchers on a case-by-case basis.

What we consider high impact

The fastest way to our attention — bugs in these categories get same-day remediation commitments:

• Authentication bypass or privilege escalation
• Cross-tenant data access (IDOR, authorization drift)
• SQL injection, RCE, or path traversal reaching sensitive data
• Exposure of customer PII (SSN, bank, employment records, payment details)
• Secret or cryptographic key compromise
• Stored XSS in workflows an authenticated user would routinely hit

Transparency

We publish controls, subprocessors, and certification status on our Trust page. If you need SOC 2 or other documentation for a security review, email compliance@ceven.io. We respond to customer compliance requests within one business week.

Last reviewed: April 20, 2026. Policy expires April 20, 2027 — watch this page or check security.txt for the current version.