Security & Vulnerability Disclosure

We take security seriously and welcome responsible disclosure from security researchers. Help us keep Distil and our users secure.

Reporting Security Issues

If you discover a security vulnerability in Distil (including our web application, API, or integrations), please report it to:

hello@distilhq.com

Acknowledgment: Within 2 business days

Detailed response: Within 7 business days

Scope

Our vulnerability disclosure program covers the following:

Distil web application (distilhq.com)

Slack integration and OAuth flow

Linear, Jira, Zendesk, and Intercom integrations

API endpoints and webhooks

Authentication and authorization systems

Safe Harbor

We consider security research conducted in good faith to improve the security of our services. We will not pursue legal action against researchers who:

Report vulnerabilities privately to hello@distilhq.com

Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability

Do not disrupt our services or degrade the user experience

Make a good faith effort to avoid privacy violations and destruction of data

Out of Scope

The following activities are not covered by our vulnerability disclosure program:

×Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks

×Social engineering attacks against Distil employees or customers

×Physical attacks against Distil infrastructure or offices

×Spam or social engineering of other users

Disclosure Policy

We request that you do not publicly disclose vulnerabilities until we have had reasonable time to address them.

We aim to resolve critical vulnerabilities within 90 days of initial report. We will keep you informed of our progress throughout the remediation process and coordinate with you on public disclosure timing.

Thank you for helping keep Distil and our users secure.