RESPONSIBLE DISCLOSURE

Found something? Tell us.

We welcome good-faith security research. This page is the policy behind our security.txt.

How to report

Email info@redresscompliance.com with the subject line “Security report”. Include what you found, the steps to reproduce it, the URL or endpoint involved, and the impact you believe it has. A proof of concept helps; access to another customer’s data does not need to be proven beyond the first record.

What we commit to

We acknowledge reports within 3 business days, keep you informed while we investigate, and tell you when the issue is fixed. We do not run a paid bounty program today; we do credit researchers who want credit, and we say thank you properly.

Safe harbor

We will not pursue legal action for research that stays within this policy: act in good faith, access only what is needed to demonstrate the issue, do not read or modify other customers’ data beyond the minimum proof, do not degrade the service, and give us reasonable time to fix the issue before any public disclosure.

Out of scope

Where to look first

The security overview describes the architecture: database-enforced tenant isolation, signed short-lived downloads, audit logging, and the rest. The isolation boundary is the crown jewel; if you find a way across it, we want to know the same day.