Responsible Disclosure Policy

Last updated: May 27, 2026

Draftthis document is a working draft published for transparency. A legally-reviewed version will replace it before paid plans go live. It does not yet constitute a binding agreement; if you need a signed version, contact legal@trymysaas.com.

This policy describes two things: how TryMySaaS notifies customers when our agents discover a critical security finding in an audited system, and how security researchers can report vulnerabilities they discover in TryMySaaS itself.

Scope

This policy applies to findings produced by the SecureIt and PenTestIt agents against systems you have authorized us to audit. It does not apply to findings produced by ReviewIt, AuditIt, or MarketIt, which by design do not test for exploitable security defects.

What triggers an out-of-band notification

We notify you out of band — separately from the normal dashboard and report — when an audit produces a finding that puts end-user data or business continuity at immediate risk. Examples include:

  • Unauthenticated exposure of personal data (PII), authentication credentials, or session tokens.
  • Broken authentication, including missing authentication on sensitive endpoints, predictable session identifiers, and password-reset flows that disclose the account.
  • Insecure direct object reference (IDOR) on records belonging to other users or organizations.
  • Exposed cloud or service credentials in client-side code, public repositories, or response bodies.
  • Remote code execution, server-side request forgery against internal resources, or any vulnerability that allows an attacker to act as the application.

Findings that do not meet this bar (theoretical issues, low-severity misconfigurations, best-practice deviations) are surfaced in the standard report only.

How we notify

The notification is a short email sent to the account owner and any users with a security or admin role on the audited organization. The email does not contain the finding details — it contains a single-use, time-limited access link to a hardened page that displays them. We do this so that forwarded or screenshotted emails cannot leak the vulnerability.

Access links are single-use, expire after 72 hours, and are bound to the recipient address. Following the link requires that you sign in to your TryMySaaS account.

Timing

We aim to send the notification within one hour of the agent producing a finding that meets the trigger criteria. We do not delay notification while we attempt to reproduce the finding — if the agent's evidence supports the severity, we send.

Who can receive notifications

Notifications go to verified email addresses on accounts with billing or security roles on the affected organization. You can configure additional recipients (for example a security@yourcompany.com address) from the organization settings page. We will not send disclosure details to unverified addresses.

Why we do this regardless of plan

It is industry standard for security tooling to disclose immediately when end-user data is at risk. It is also our legal obligation under data-protection regimes such as LGPD, GDPR, and CCPA when an incident affects personal data. We will not gate this behavior behind a plan upgrade; if SecureIt or PenTestIt is enabled on your organization, you receive disclosures.

Reporting a vulnerability in TryMySaaS

If you discover a vulnerability in TryMySaaS itself — the website, the dashboard, the agent runtime, or our APIs — we ask that you give us a reasonable opportunity to fix it before public disclosure. Please include a clear description, steps to reproduce, the affected version or URL, and the impact you observed. We acknowledge reports within 3 business days and aim to remediate critical issues within 30 days.

Report to: security@trymysaas.com. We support PGP-encrypted reports; ask for our key in your first message.

Safe harbor for good-faith research

If you are a security researcher acting in good faith — testing only your own accounts or test data, not degrading service for other users, not accessing data beyond what is needed to demonstrate the issue, and giving us a reasonable window to remediate — we will not pursue legal action against you and we will treat your activity as authorized for the purposes of computer-misuse statutes.

Changes to this policy

We will update this policy as the service evolves. The 'Last updated' date at the top of this page always reflects the current version.