Sandstone Security & Vulnerability Disclosure Policy

Overview

At Sandstone, security is a core part of how we design, build, and operate our platform. We are committed to protecting customer data and maintaining a secure environment across all of our services.
We welcome responsible disclosure of security issues and appreciate the efforts of security researchers who help us maintain the safety and reliability of our platform.

Reporting a Vulnerability

If you believe you have discovered a security issue, please contact us at:

Email: security@sandstone.ai

When reporting, please include:

A description of the issue
Steps to reproduce
Any relevant logs, screenshots, or proof-of-concept
Your contact information

We request that you avoid publicly disclosing the issue until we have had a chance to investigate and resolve it.

Our Commitment

When you report a vulnerability in good faith:

We will acknowledge your submission within 72 hours.
We will provide updates as we investigate and remediate the issue.
We will notify you when the issue has been resolved.
We will not pursue legal action for good-faith research and responsible disclosure (“safe harbor”).

Scope

This policy applies to all Sandstone-owned systems, applications, and services, including but not limited to:

sandstone.ai
app.sandstone.ai
Sandstone APIs
Sandstone integrations and plugins

If you are unsure whether something is in scope, please reach out — we are happy to clarify.

Out of Scope

The following types of findings are generally not considered security vulnerabilities:

Reports based on out-of-date browsers or operating systems
Missing DNS records (e.g., SPF/DMARC recommendations)
Rate-limiting concerns without demonstrable impact
Clickjacking on pages without sensitive actions
Social engineering or phishing attempts
Attacks requiring physical access to devices

If you’re unsure whether an issue qualifies, feel free to report it anyway — we review all submissions.

Safe Harbor

Sandstone supports safe, responsible security research.
We will not initiate legal action against researchers who:

Act in good faith
Avoid causing harm, privacy violations, or service disruption
Do not access or modify customer data
Follow responsible disclosure guidelines and give us reasonable time to remediate

Bug Bounty Program

Sandstone does not currently operate a paid bug bounty program.
However, we appreciate and value the efforts of the security community and may introduce a formal bounty program in the future.

Overview

Reporting a Vulnerability

If you believe you have discovered a security issue, please contact us at:

Email: security@sandstone.ai

When reporting, please include:

A description of the issue

Steps to reproduce

Any relevant logs, screenshots, or proof-of-concept

Your contact information

We request that you avoid publicly disclosing the issue until we have had a chance to investigate and resolve it.

Our Commitment

When you report a vulnerability in good faith:

We will acknowledge your submission within 72 hours.

We will provide updates as we investigate and remediate the issue.

We will notify you when the issue has been resolved.

We will not pursue legal action for good-faith research and responsible disclosure (“safe harbor”).

Out of Scope

The following types of findings are generally not considered security vulnerabilities:

Reports based on out-of-date browsers or operating systems

Missing DNS records (e.g., SPF/DMARC recommendations)

Rate-limiting concerns without demonstrable impact

Clickjacking on pages without sensitive actions

Social engineering or phishing attempts

Attacks requiring physical access to devices

If you’re unsure whether an issue qualifies, feel free to report it anyway — we review all submissions.

Safe Harbor

Sandstone supports safe, responsible security research.
We will not initiate legal action against researchers who:

Act in good faith

Avoid causing harm, privacy violations, or service disruption

Do not access or modify customer data

Follow responsible disclosure guidelines and give us reasonable time to remediate

Security Policy

Sandstone Security & Vulnerability Disclosure Policy

Overview

Reporting a Vulnerability

Our Commitment

Scope

Out of Scope

Safe Harbor

Bug Bounty Program

Unlock your
AI-native
legal
department.

Security Policy

Sandstone Security & Vulnerability Disclosure Policy

Overview

Reporting a Vulnerability

Our Commitment

Scope

Out of Scope

Safe Harbor

Bug Bounty Program

Unlock your
AI-native
legal
department.

Security Policy

Sandstone Security & Vulnerability Disclosure Policy

Overview

Reporting a Vulnerability

Our Commitment

Scope

Out of Scope

Safe Harbor

Bug Bounty Program

Unlock yourAI-nativelegaldepartment.

Security Policy

Sandstone Security & Vulnerability Disclosure Policy

Overview

Reporting a Vulnerability

Our Commitment

Scope

Out of Scope

Safe Harbor

Bug Bounty Program

Unlock yourAI-nativelegaldepartment.

Unlock your
AI-native
legal
department.

Unlock your
AI-native
legal
department.