Coordinated Vulnerability Disclosure

Privacy policy Sentiance data protection

At Sentiance, we build technology that sits at the intersection of mobility intelligence and personal data. Security is not an afterthought for us, and we genuinely welcome researchers who take the time to look carefully at our systems.

If you find something, we want to hear from you.

How to Report

Send your findings to privacy@sentiance.com. A useful report includes a clear description of the vulnerability, steps to reproduce it, the potential impact, and any supporting evidence such as screenshots, logs, or proof-of-concept code. The more context you provide, the faster we can act.

In Scope

Sentiance is more than a website. If you are wondering where to start, our developer documentation at docs.sentiance.com gives you a meaningful window into what we build and how. Our backend infrastructure, APIs, and mobile applications (iOS and Android) are where the real crown jewels live, and they are all in scope.

www.sentiance.com is a static marketing site. It contains no backend logic and no personal data. It is technically in scope, but only for findings with genuine reputational or integrity impact, such as domain takeover or cache poisoning that could alter site content. Please do not submit low-impact web findings against www.sentiance.com, including missing security headers, cookie flags, clickjacking, or similar best-practice issues.

What We Are Looking For

We prioritize vulnerabilities that demonstrate real impact on end user data, system integrity, or platform security. This includes authentication and authorization flaws, sensitive data exposure, API logic vulnerabilities, and mobile application security issues.

Out of Scope

To keep the process useful for everyone, the following techniques must not be used during your research, and any findings derived from them will not be considered:

General

  • DDoS, brute force, or volumetric attack vectors against any target
  • Spam, social engineering, and physical intrusion
  • Attacks requiring physical access to a victim's device, man-in-the-middle scenarios, or compromised user accounts
  • Theoretical security issues with no realistic exploit scenario or attack surface
  • Scanner output or reports stating software is out of date without a proof-of-concept demonstrating actual impact
  • Recently disclosed vulnerabilities where a public patch or mitigation has been available for less than 14 days

Web and API

  • Missing HTTP security headers on www.sentiance.com
  • Missing cookie flags
  • CORS misconfiguration on non-sensitive endpoints
  • Best practice violations such as password complexity, expiration, re-use, etc.
  • Clickjacking without proven impact or unrealistic user interaction
  • Self-XSS that cannot be used to exploit other users
  • Bypassing rate limits or the non-existence of rate limits on non-sensitive endpoints
  • Username or email enumeration
  • Sessions not being invalidated on logout or when enabling two-factor authentication
  • Verbose messages or directory listings that do not disclose sensitive information
  • Banner grabbing or version disclosure without a working proof-of-concept
  • HTTP request smuggling without proven impact
  • Blind SSRF without proven business impact
  • Subdomain takeover without actually taking over the subdomain
  • Issues that require complex end-user interactions to be exploited
  • API key leakage used exclusively for insensitive activities/actions

Mobile

  • Absence of certificate pinning
  • Lack of jailbreak or root detection
  • Runtime hacking exploits that are only possible on a jailbroken or rooted device
  • Crashes due to malformed URL schemes
  • Lack of binary protection or anti-debugging control

Responsible Researcher Guidelines

Testing boundaries 

Restrict your testing strictly to your own accounts and data. If you gain access to an authenticated or restricted environment such as an admin panel or internal network, stop testing immediately and report the finding. Do not use that access to explore further. We will assess maximum impact from the finding itself.

Proof-of-concept scope

Keep your proof-of-concept commands to the minimum necessary to confirm a finding. Checking a database version or returning a benign string is sufficient. Do not perform write operations, data manipulation, or bulk data extraction. Do not test flows that could incur costs for Sentiance, such as SMS-based or other transactional endpoints, without explicit permission.

Personal data

If you encounter personal data belonging to Sentiance, its customers, end users, or partners during your testing, do not download, copy, store, or share it. Describe what you were able to access in your report, but do not include raw PII in screenshots or attachments. Redact or blur where necessary.

Confidentiality 

Do not discuss or disclose vulnerability details, proof-of-concept code, or reproduction videos to any third party, including on platforms such as YouTube or Vimeo, without prior written consent from Sentiance. This applies until Sentiance has had a reasonable opportunity to remediate, after which disclosure should be coordinated with Sentiance.

Scope

Respect the scope defined in this CVD. Testing assets outside of it removes the legal safe harbor described below and may expose you to legal consequences.

If you discover something outside this scope, you are welcome to report it regardless, but we cannot guarantee a response or safe harbor for out-of-scope findings.

Report quality

Submit findings you understand and can demonstrate. Please do not submit placeholder reports, speculative findings, or bulk scanner output. Quality over quantity benefits everyone.

If you use AI tools as part of your workflow, you remain fully responsible for the validity of your findings. Reports that appear to be unverified AI output, contain fabricated elements, or lack demonstrated technical understanding may be closed without response.

Our Commitment

We will acknowledge your report within 5 business days, keep you informed as the investigation progresses, and notify you when the vulnerability is resolved. We do not currently operate a paid bug bounty program, but we take every valid report seriously and credit researchers where they consent to it. Sentiance may choose to reward exceptionally valuable submissions, without any obligation to do so or to provide justification.

Legal Safe Harbour

Sentiance considers security research and vulnerability disclosure activities conducted in good faith and in accordance with this policy to be authorized. We will not initiate or support legal action against researchers for activities carried out under this policy, provided the researcher:

  • acts in good faith and avoids privacy violations, service disruption, degradation of user experience, or destruction of data;
  • limits testing to the scope defined above and to their own accounts and data;
  • reports findings promptly to privacy@sentiance.com and refrains from public disclosure until Sentiance has had a reasonable opportunity to remediate;
  • complies with applicable Belgian and European Union law, including the General Data Protection Regulation (GDPR).

Activities that go beyond what is necessary to demonstrate a vulnerability, or that cause harm to Sentiance systems, customers, or end users, are not authorized and fall outside this safe harbor.

Last updated: 28 April 2026

Sentiance-logo-white

Sentiance delivers AI-native, on-device behavioral intelligence for mobile apps. We turn sensor data into real-time insights about how people move, drive, and live, enabling safer journeys, smarter experiences, and deeper engagement, all with privacy built in.  

We're the intelligence layer apps can't live without.

developed-with-flanders-support
Logos row 2025

© Sentiance NV.  -  a website by mimosa

Back to top Arrow