Please do not file public GitHub issues for security vulnerabilities.
Email security reports to security@interactor.com.
For sensitive reports, request our PGP key in your first message and we will reply with the current key fingerprint.
- A description of the issue and its impact.
- Steps to reproduce (proof-of-concept code, requests, or screenshots).
- Affected version(s) — commit SHA or release tag.
- Your name and a contact channel if you'd like credit in the advisory.
| Stage | SLA |
|---|---|
| Acknowledge receipt | within 2 business days |
| Initial triage and severity assessment | within 5 business days |
| Fix or mitigation for High/Critical issues | target 30 days |
| Public advisory (CVE if applicable) | after a fix ships and reasonable upgrade window |
In scope:
- The application code in this repository (
src/,ee/,prisma/). - Default Docker images we publish to GHCR.
- The hosted SaaS at *.interactor.com (separate disclosure preferred but we triage shared findings together).
Out of scope:
- Self-hosted misconfigurations (e.g., a publicly exposed Postgres without a password).
- Findings that require physical access or social engineering of an Interactor employee.
- Denial-of-service via unauthenticated traffic floods.
- Missing best-practice headers without a demonstrated impact.
We follow a 90-day coordinated disclosure window by default. We can extend that for complex fixes by mutual agreement, and shorten it if a vulnerability is being actively exploited.
We will credit reporters in the advisory unless they ask to remain anonymous.