Vulnerability disclosure policy

Superthread no longer operates a vulnerability disclosure or bug bounty program, and we no longer accept unsolicited vulnerability reports. This page explains what changed and why.

Last updated: June 2026

For several years, Superthread ran a vulnerability disclosure program and, in some cases, offered rewards for reports of genuine, exploitable security issues. We're grateful to the researchers who engaged with it in good faith — their work made Superthread safer. As of June 2026, that program is closed, and we no longer accept unsolicited vulnerability reports.

We don't take this decision lightly, and we want to be transparent about the reasons behind it.

Why we've closed the program

The honest answer is signal. Over the past year, the volume of submissions has risen sharply while their quality has collapsed. The overwhelming majority of what now reaches us is produced by AI tools and large language models, and it shares a recognisable set of problems:

  • Nonsensical or fabricated findings — reports describing vulnerabilities that simply don't exist, citing endpoints, code paths, or behaviours that aren't real, wrapped in confident, polished prose that falls apart at the first follow-up question.
  • False positives — automated scanner output pasted verbatim, flagging "issues" that are intended behaviour, already mitigated, or carry no security impact.
  • Low or no impact — missing security headers, theoretical concerns with no realistic exploit path, and "best practice" deviations presented as vulnerabilities.
  • No reproducible proof — submissions with no working proof of concept, no clear steps, and no demonstration of real risk to our systems or our users' data.

Triaging this volume — reading, reproducing, verifying, and responding to each claim — now consumes far more security-engineering time than it returns in genuine findings. That is time taken directly away from the proactive security work that actually protects our customers. An open submission channel no longer makes sense for us, so we've chosen to close it rather than continue offering a service we can't review with the care it deserves.

What this means

Superthread no longer operates a vulnerability disclosure or bug bounty program. In practical terms:

  • We do not accept unsolicited vulnerability reports, and we are not offering rewards for them.
  • We have retired our dedicated security reporting inbox. Reports sent there may not be reviewed or acknowledged.
  • We will not be triaging, scoring, or responding to disclosure submissions.

How we keep Superthread secure

Closing a public submission channel is not a change in how seriously we take security — it's a change in where we direct our security effort. We continue to protect your data through:

  • Secure development practices and peer code review across our engineering teams.
  • Independent, professional security assessments and penetration testing.
  • Continuous monitoring, logging, and alerting across our infrastructure.
  • Ongoing compliance and data-protection work — see our Security and compliance page for detail.

If you have a product or account problem

If you've run into a bug, an account issue, or anything affecting your use of Superthread, our team is the right place to help — reach us at [email protected]. For questions about how we handle your data, see our Privacy policy.

To the researchers who reported real issues responsibly over the years: thank you. This change is a response to the current state of automated, low-signal submissions — not to the genuine work that came before it.