Security Policy

1. Overview

Venn Labs LLC ("we", "us", "our") takes the security of ThreadScope and the data of our users seriously. We welcome responsible disclosure of security vulnerabilities from security researchers, users, and the general public.

This policy describes how to report vulnerabilities, what to expect from us, and the protections we offer to good-faith security researchers.

2. Scope

This policy covers:

• The ThreadScope web application and its associated APIs.
• Infrastructure directly operated by Venn Labs LLC for the ThreadScope service.

Third-party services we use (such as OpenRouter, Polar, Resend, or Sentry) are not in scope. If you discover a vulnerability in one of these services, please report it directly to the affected provider.

3. Reporting a vulnerability

Please report security vulnerabilities by email to ops@threadscope.io. Include the following information:

• A description of the vulnerability and its potential impact.
• Steps to reproduce the issue, including any tools or scripts used.
• The URL or component affected.
• Your assessment of severity (critical, high, medium, low).
• Any suggestions for remediation, if you have them.

Please do not report security vulnerabilities through public channels such as GitHub issues, social media, or public forums.

4. What to expect

• We will acknowledge receipt of your report within 3 business days.
• We will provide an initial assessment and estimated timeline within 10 business days.
• We will keep you informed of our progress toward resolving the issue.
• We will notify you when the vulnerability has been fixed.
• We ask that you allow us a reasonable period (typically 90 days) to address the vulnerability before any public disclosure.

5. Safe harbor

We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who:

• Act in good faith to avoid privacy violations, data destruction, and service disruption.
• Only interact with accounts they own or with explicit permission of the account holder.
• Do not exploit a vulnerability beyond what is necessary to demonstrate it.
• Report vulnerabilities promptly and do not use them for unauthorized purposes.
• Do not publicly disclose vulnerability details before we have had a reasonable opportunity to fix the issue.

If legal action is initiated by a third party against a researcher who has acted in accordance with this policy, we will take steps to make it known that the researcher's actions were conducted in compliance with this policy.

6. Out of scope

The following are not considered in-scope vulnerabilities:

• Denial of service (DoS/DDoS) attacks.
• Social engineering or phishing attacks against ThreadScope employees or users.
• Physical attacks against ThreadScope infrastructure.
• Vulnerabilities in third-party services or dependencies (report those to the vendor).
• Automated scanning or brute-force attacks without prior coordination.
• Reports of missing security headers that do not demonstrate a concrete exploit.
• Reports of outdated software versions without a demonstrated vulnerability.

7. Contact

• Security reports: ops@threadscope.io
• General inquiries: hello@threadscope.io
• Mail: Venn Labs LLC, 1302 Platte Falls Rd Ste D #429, Platte City, MO 64079, United States

Version history

• 14 May 2026 -- Initial version.