Vulnerability Disclosure Policy
Introduction
Blanket is committed to the security of our platform and the protection of our users’ data. We welcome responsible disclosure of security vulnerabilities by security researchers and members of the public. This policy describes how to report vulnerabilities, what to expect from us, and the safe harbor we provide to good-faith researchers.
Scope
This policy applies to security vulnerabilities in:
- *.blankethomes.com — all Blanket-hosted applications, including customer tenant subdomains (e.g., demo-emp.blankethomes.com)
- blankethomes.com — the Blanket marketing website
- api.blankethomes.com — API endpoints
Out of Scope:
- Third-party products or services accessible through the platform that are not developed or maintained by Blanket
- Third-party services that Blanket integrates with (e.g., Descope, Google APIs, AWS services) — report those to the respective vendors
- Social engineering attacks against Blanket employees
- Physical security of offices or data centers
- Denial of Service (DoS/DDoS) attacks — do not perform these
- Automated scanning that generates excessive traffic or degrades service
How to Report a Vulnerability
Email: security@blankethomes.com
Please provide as much of the following as possible:
- Description of the vulnerability (type, affected component)
- Steps to reproduce the issue, including URLs, request/response samples, or screenshots
- Impact assessment — what could an attacker achieve?
- Affected URL(s) or endpoint(s)
- Your contact information for follow-up questions (email is sufficient)
- Any supporting evidence (screenshots, proof-of-concept code, HTTP request/response logs)
Response Timeline
We are committed to the following response timelines:
| Action | Timeline |
|---|---|
| Acknowledgement of your report | Within 5 business days |
| Initial triage and severity assessment | Within 10 business days |
| Status update on the investigation | Within 15 business days |
| Resolution of confirmed vulnerabilities | Depends on severity (see below) |
| Notification when issue is resolved | Within 10 business days of fix |
Resolution Targets by Severity:
| Severity | Target Resolution Time |
|---|---|
| Critical (actively exploitable, data exposure) | Within 7 days |
| High (significant vulnerability, not yet exploited) | Within 30 days |
| Medium (limited impact) | Within 60 days |
| Low (informational / hardening) | Within 90 days |
Our Commitments
When you report a vulnerability in good faith and in accordance with this policy, we commit to:
- Acknowledging your report promptly
- Not pursuing legal action against you (see Safe Harbor below)
- Working with you to understand and validate the issue
- Keeping you informed of our progress
- Crediting you in our acknowledgments (if you wish — you may remain anonymous)
- Resolving valid vulnerabilities in a timely manner
Safe Harbor
Blanket considers security research conducted in accordance with this policy to be:
- Authorized with respect to any applicable anti-hacking laws
- Exempt from restrictions in our Terms of Service that would interfere with security research
- Lawful and conducted in good faith
We will not pursue civil or criminal legal action against researchers who:
- Act in good faith and in accordance with this policy
- Avoid privacy violations — do not access, modify, or delete data belonging to other users
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Do not perform actions that could degrade the service for our users
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it (minimum 90 days)
- Make a good-faith effort to report the vulnerability to us before disclosing to any third party
If a third party (such as law enforcement) initiates action against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were in compliance with our policy.
Researcher Guidelines
To qualify for safe harbor, researchers must:
- Do not access, download, or modify data that does not belong to you
- Do not perform denial-of-service attacks
- Do not send unsolicited emails to Blanket users as part of testing
- Do not test against accounts you do not own (create a test account if needed, or request one from security@blankethomes.com)
- Do not use automated vulnerability scanners in an aggressive manner that could impact service availability
- Do stop testing and report immediately if you encounter user data
- Do delete any Blanket data you may have accessed during testing after the vulnerability is confirmed and resolved
Recognition
We appreciate the security research community. Researchers who report valid vulnerabilities may be listed in our security acknowledgments with their permission. We do not currently offer monetary rewards, but we value and recognize every legitimate contribution to our security.
Contact
For security vulnerability reports: security@blankethomes.com
For general inquiries: support@blankethomes.com
Last Updated: April 5, 2026
