Responsible disclosure policy

24i understands the importance of security in our products. We believe that the responsible disclosure of any security vulnerabilities identified by security researchers plays an important role in how we conduct our business.

Security researchers

24i accepts vulnerability reports from all sources including independent security researchers, industry partners, vendors and customers. We define a vulnerability as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

How to report a suspected vulnerability

24i asks security researchers to share details of any suspected vulnerabilities via email to If you feel the need, please use our PGP public key to encrypt your communication with us.

At a minimum please include the following information with your initial submission:

  • Your assessment of the Severity (Critical/High/Medium/Low)
  • The name of the 24i application or product that your report relates to
  • Short description
  • Steps to reproduce (please be as detailed as possible; include screenshots if applicable)
  • Date and time of your testing
  • Preferred contact method (e.g. phone, email)

24i will acknowledge submitted reports within 3 working days. 24i asks that all parties respect a 90 day hold-off period before making full disclosure.