Skip to content

Reporting bugs

We take bug reports seriously. The more context you give us, the faster the fix.

Where to send reports

Type Send to
Bug — UI, scanner false positive/negative, API error [email protected]
Feature request [email protected]
Billing / account question [email protected]

Security-impacting bugs

If you believe you've found a security vulnerability (auth bypass, data leak across accounts, RCE, etc.), please email [email protected] with [SECURITY] in the subject line and do not publish details publicly until we've had a chance to investigate and fix. We don't currently run a formal vulnerability-disclosure program or bug bounty.

We don't currently have a public issue tracker for the SaaS product (the OSS scanner engine on github.com/fpulidov/credwatch does accept issues — please file SaaS bugs to support@ instead).

What to include

The single biggest accelerator for any bug fix is a few specific data points. Please send all of these if you have them:

  1. What you were doing — the page or API call, with the URL.
  2. What you expected to happen — short sentence.
  3. What actually happened — what you saw, copy-pasted text or a screenshot.
  4. When — UTC time, ±5 minutes is fine. We can correlate from server logs.
  5. Your account slug — visible in the top-right of the portal, or it's the subdomain-like string in URLs.
  6. Browser + OS, for UI bugs. ("Chrome 138 on macOS 15.")
  7. Any error codes the response body included.
  8. Steps to reproduce, if you've worked them out.

A 6-line email with the above is more useful than a 4-paragraph narrative without.

Good bug report (template)

Subject: [Bug] Finding detail page 500s on commit findings

Account: acme
When: 2026-05-21 14:33 UTC
Page: https://app.cred-watch.com/findings/01HXYZ...

Expected: Finding detail page loads with commit metadata.
Actual:   500 Internal Server Error.

Browser: Firefox 130 on Ubuntu 24.04.
Steps:   1. Go to /findings, sorted by score desc.
         2. Click the top result (source_type=commit).
         3. Page loads briefly, then 500s.

Console error: "TypeError: undefined is not an object" but I'm not sure
if that's related.

We typically respond within 24 business hours on Free/Starter and same-business-day on Growth/Enterprise. Critical bugs (data loss, security, total service outage) get paged immediately regardless of plan.

What we'll do

  1. Confirm receipt — usually within a few hours.
  2. Reproduce — using your account context, we'll try to replicate locally.
  3. Triage — assign a severity (cosmetic / annoyance / blocker / critical).
  4. Fix and deploy — typical turnaround: critical = same day, blocker = a few days, annoyance = next release.
  5. Notify you — when the fix ships, we'll reply on the original thread.

For SaaS bugs, we don't always ship a changelog entry — but you can see deployment dates on the status page.

Bug bounty

We don't run a public bug bounty program. If that changes, we'll announce it on the status page and add a dedicated disclosure page to these docs.