Security Vulnerability Reporting Policy

Last updated on April 1, 2026

Profound takes the security of its systems seriously and appreciates reports from individuals who identify potential security vulnerabilities affecting Profound systems.

This Policy explains how to report a suspected vulnerability to Profound and the information we ask you to include so we can review and respond appropriately.

1. How to Report

Please send reports to: [email protected]

Please include, at a minimum:

  • a description of the suspected vulnerability and its potential impact;
  • steps to reproduce the issue; and
  • your contact information.

If available, please also include any supporting materials that may help us validate the issue, such as screenshots, logs, proof-of-concept code, affected URLs, IP addresses, request and response samples, or suggested remediation steps.

Profound aims to acknowledge or respond to initial reports within 5 business days.

2. Scope

This Policy applies to suspected vulnerabilities affecting: *.tryprofound.com

Reports relating solely to third-party products, services, or infrastructure not controlled by Profound are outside the scope of this Policy, unless the report shows that the issue is caused by Profound's own code, configuration, or implementation.

3. Out of Scope

The following are outside the scope of this Policy:

  • social engineering, phishing, or impersonation attempts;
  • physical security issues;
  • denial of service or distributed denial of service activity;
  • spam, brute force, credential stuffing, or automated volumetric attacks;
  • malware, ransomware, or destructive payloads;
  • issues involving only third-party services or applications that are not owned or controlled by Profound; and
  • reports that lack enough detail for Profound to reproduce or evaluate the issue.

4. Researcher Expectations

When identifying and reporting a suspected vulnerability to Profound, please:

  • act in good faith;
  • provide accurate and complete information;
  • avoid any activity that disrupts, degrades, or impairs Profound systems or services;
  • do not access, use, modify, disclose, or delete data that does not belong to you; and
  • report the issue privately to Profound and give Profound a reasonable opportunity to review and address it before any public disclosure.

5. No Commitment to Compensation

Profound may, in its sole discretion, choose to recognize or reward certain valid reports. Profound is under no obligation to provide compensation, and any decision whether to provide compensation, and in what amount, is solely up to Profound.

6. Safe Harbor

If you make a good-faith effort to comply with this Policy while identifying and reporting a suspected security vulnerability, Profound will not initiate legal action against you based solely on your participation in this process.

This safe harbor applies only if your activities:

  • are limited to assets expressly identified as in scope under this Policy;
  • comply with the restrictions and expectations set out in this Policy;
  • do not involve accessing, using, modifying, disclosing, or deleting data that does not belong to you;
  • do not disrupt, degrade, or impair Profound systems or services; and
  • are reported promptly and privately to Profound at [email protected].

This safe harbor does not apply to conduct that is outside the scope of this Policy, causes harm to Profound or any third party, involves third-party systems or data, or otherwise violates applicable law. Profound reserves all rights with respect to any conduct outside the scope of this Policy.

7. Public Disclosure

Profound asks that you do not publicly disclose a suspected vulnerability until Profound has had a reasonable opportunity to investigate and address the issue.

8. Reservation of Rights

Profound reserves the right to determine, in its sole discretion:

  • whether a reported issue constitutes a security vulnerability;
  • whether a report is within scope;
  • what actions, if any, Profound will take in response; and
  • whether any recognition or compensation will be offered.

9. Contact

Questions about this Policy may be sent to: [email protected]