Helm
Sign in
back
Security

Responsible Disclosure

We build Helm to help travel agencies and guides run their operations with confidence. Security is foundational to that trust.

Report a vulnerability
security@helmkit.com

If you've discovered a vulnerability in our systems, please reach out. We'll work with you to resolve it quickly and safely.

01

Scope

This policy covers all services operated by Helm, including:

  • helmkit.com and all subdomains
  • The Helm web application
  • Our public-facing APIs

The following are out of scope:

  • Third-party services and integrations we use but don't control
  • Social engineering attacks against our team or users
  • Denial of service attacks
  • Physical security of our offices or infrastructure
  • Findings from automated scanning tools without validated impact
02

How to Report

Send your findings to security@helmkit.com. To help us investigate and respond effectively, please include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Affected URLs, endpoints, or components
  • Screenshots, screen recordings, or proof-of-concept code if available
  • Your suggested severity assessment (critical, high, medium, low)

The more detail you provide, the faster we can validate and address the issue. We accept reports in English or French.

03

Rules of Engagement

When researching vulnerabilities in our systems, we ask that you:

  • Do not access, modify, or delete data belonging to other users
  • Do not degrade or disrupt the availability of our services
  • Do not use social engineering, phishing, or physical attacks against our team or users
  • Do not publicly disclose the vulnerability before we've had reasonable time to address it
  • Make a good-faith effort to minimize any harm during your testing
  • Only interact with accounts you own or have explicit permission to test
04

Safe Harbor

When conducting vulnerability research in accordance with this policy, we consider your research to be:

  • Authorized under applicable anti-hacking laws. We will not initiate or support legal action against you for accidental, good-faith violations of this policy.
  • Authorized under anti-circumvention laws. We will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms of Service that would interfere with conducting security research. We waive those restrictions on a limited basis for work done under this policy.
  • Lawful, helpful to the overall security of the internet, and conducted in good faith.

If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. This safe harbor applies only to legal claims under Helm's control and does not bind independent third parties.

05

What to Expect from Us

When you submit a report, here's what we commit to:

3dWe'll acknowledge your report within three business days.
We'll keep you informed with regular status updates as we investigate.
We'll notify you when the issue has been resolved.
We'll work with you in good faith throughout the entire process.
06

Disclosure & Recognition

We ask for a coordinated disclosure window of 90 days from the initial report before any public disclosure, so we have adequate time to investigate and deploy a fix.

We're happy to credit researchers who report valid vulnerabilities. Let us know how you'd like to be acknowledged—by name, handle, or anonymously.

We do not currently operate a paid bug bounty program, but we genuinely value every responsible report and the people behind them.

This policy is inspired by the disclose.io framework and follows industry best practices for coordinated vulnerability disclosure. Last updated February 2026.