← Back to Incognito
Security Acknowledgments
Our thanks to the researchers who responsibly disclose vulnerabilities in Incognito. This page is where we credit them — with consent.
How to report
Email security@useincognito.com. Include:
- A clear description of the issue and its impact
- Steps to reproduce (PoC, screenshots, or traffic captures)
- The affected endpoint, build, or version
- Whether you'd like to be credited here (name + optional link)
We respond within 72 hours. Full disclosure details live at /.well-known/security.txt.
Safe harbor
Good-faith research that respects user privacy, avoids data destruction, and stays within your own account is welcome. We won't pursue legal action against researchers following this policy.
Credits
No public credits yet. Incognito is early — when the first responsibly disclosed report lands and the researcher opts to be listed, they'll appear here with date, CVE-like ID, and a one-line description of the class of bug.
Out of scope
- Denial-of-service via volumetric load (ratelimits already mitigate)
- Best-practice findings with no demonstrated impact (e.g. "missing security header X" without an attack path)
- Social-engineering of our team or customers
- Issues in third-party dependencies already patched upstream
Policy: Data retention · Privacy · Terms