← Back to Internalize

Security disclosure

We welcome reports from security researchers. This page describes our scope, expectations, and safe-harbor commitment.

Reporting

Email [email protected] with details. Please include:

  • Steps to reproduce
  • Affected URL or endpoint
  • Impact assessment
  • Your name or handle (for credit, if desired)

We acknowledge legitimate reports within 5 business days and aim to remediate critical issues within 30 days.

Scope

The following are in scope for testing:

  • Our production web application
  • Our public API
  • Our published webhook endpoints

Out of scope:

  • Denial-of-service attacks
  • Social engineering of our staff or contractors
  • Physical attacks
  • Third-party services (report directly to those providers)

Safe harbor

If you make a good-faith effort to follow this policy and avoid privacy violations, destruction of data, and service disruption, we will not pursue legal action against you for security research. We will work with you to resolve the issue.

Machine-readable contact

A security.txt file is published at /.well-known/security.txt.