Second Street values the work done by security researchers which improves the security of our products. We are committed to working with the community to verify, reproduce, and respond to legitimate vulnerabilities that are reported to us. We encourage the community to participate in our responsible disclosure policy.

Reporting Process

If you would like to report a security vulnerability, please send an email to: Please provide your name, contact information, and (if applicable) company name with each report. You may find it helpful to use the report template at the bottom of this policy.

Which domains are in scope?

The domain and any subdomain except for domains that match the pattern *-qa-*


Safe Harbor

We will investigate legitimate reports and we will make every effort to correct vulnerabilities in a timely manner. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with this policy, including good faith, accidental violations.

Frequently Asked Questions

Can I get a sandbox to test with?

When you submit a vulnerability report in accordance with this policy, you can request a sandbox account to test with. At our discretion, we may decide to provide this. If we do, we’ll let you know how to safely use the sandbox for security research and testing.

How should reports be formatted?

Name: ______
Company (optional): ______
Twitter (optional): @______
Phone: ______
Bug type: ______
Severity (low, medium, high): ______
URL: ______
Proof of Concept: ______
More Details:______________________________________________________