marshal

Security disclosure

If you've found a security issue in Marshal, here's how to tell us about it — and what to expect in return.

Reporting

Email security@marshal.to with as much detail as you can include:

  • Affected URL or endpoint
  • A reproduction (steps, payload, request/response if relevant)
  • The impact you observed
  • Whether you accessed any data that wasn't your own
  • Your contact preferences and timezone

Encrypted reports are welcome. If you'd prefer to use PGP, request the current public key in your first message and we'll send it before you share the details.

What we commit to

  • Acknowledge your report within 3 business days.
  • Triage and confirm reproducibility within 10 business days.
  • Communicate a remediation plan within 30 business days, including target fix date.
  • Credit you publicly for the discovery (with your permission) once a fix has shipped and customers are no longer exposed.
  • Not pursue legal action against researchers who comply with this policy in good faith. See safe harbor below.

Scope

In scope:

  • The Marshal application at marshal.to and any subdomain
  • The Marshal API surface (REST, SCIM, and chat streaming)
  • Authentication and session handling, including SAML SSO and MFA
  • Tenant isolation: any path that lets one tenant access another tenant's data
  • Audit log integrity: anything that breaks the hash chain

Out of scope:

  • Findings that require physical access, social engineering of our staff, or attacks against the sub-processors we depend on (Supabase, Anthropic, Vercel, etc.) — report those to the respective providers
  • Denial-of-service, brute force, or rate-limit issues (please don't test these against production)
  • Missing security headers without a demonstrated impact
  • Reports generated solely by automated scanners without a working proof of concept
  • Issues in third-party services that we configure but don't control (e.g., a misconfigured Stripe customer portal)

Safe harbor

Research conducted under this policy in good faith is authorized. Specifically, we won't pursue legal action or initiate law-enforcement contact against you if you:

  • Limit testing to the scope above
  • Stop testing and notify us immediately if you discover a vulnerability that exposes customer data, and don't access more than is necessary to demonstrate the issue
  • Don't exploit findings beyond proof of concept
  • Give us reasonable time to fix before public disclosure
  • Comply with all other applicable law (we can't waive obligations you have to third parties)

Public disclosure

We'll coordinate timing of public disclosure with you. Default position: published after a fix ships and customers have had a reasonable update window. Researchers may publish their own write-ups any time after that, and we'll link them.

Machine-readable

A security.txt per RFC 9116 is published at the canonical path with the current security contact, this policy URL, and the expiration date.