Use this page to report security issues and understand what information helps Iteration Layer investigate quickly.
How Should Security Issues Be Reported
Report security issues to security@iterationlayer.com.
Include the affected endpoint or page, reproduction steps, expected impact, relevant request IDs or timestamps, and whether the issue appears to expose customer data, account access, billing data, or infrastructure behavior.
What Should Not Be Sent In A Report
Security reports should not include unnecessary personal data, customer documents, production secrets, or copied account data.
Use minimal reproduction data where possible. If sensitive evidence is required to explain the issue, mention that in the first email and coordinate a safer transfer method with Iteration Layer support.
How Are Incidents Triaged
Incidents are triaged by impact, affected data type, exploitability, and customer-facing risk.
Higher-priority issues include unauthorized account access, exposed API keys, cross-organization data access, payment or billing integrity issues, production availability impact, and suspected exposure of customer content.
How Are Customers Notified
Customer notification depends on the nature, severity, and legal requirements of the incident.
When an incident affects customer data, availability, billing, or security commitments, Iteration Layer communicates through appropriate customer channels and follows applicable legal and contractual obligations.
How Should Customers Prepare Their Own Response
Keep workflow records, webhook logs, API key inventory, and project ownership information current.
If an incident investigation requires scoping affected workflows, project-level API keys, request timestamps, and webhook delivery records can make the review faster and more precise.
How Can API Keys Be Rotated After A Suspected Exposure
Create a replacement API key, update the affected integration, verify traffic, and revoke the exposed key.
Use project-scoped keys where possible so a suspected exposure affects only the relevant workflow, client, or environment instead of the full organization.