RESPONSIBLE DISCLOSURE
Found something? Tell us.
We welcome good-faith security research. This page is the policy behind our security.txt.
How to report
Email info@redresscompliance.com with the subject line “Security report”. Include what you found, the steps to reproduce it, the URL or endpoint involved, and the impact you believe it has. A proof of concept helps; access to another customer’s data does not need to be proven beyond the first record.
What we commit to
We acknowledge reports within 3 business days, keep you informed while we investigate, and tell you when the issue is fixed. We do not run a paid bounty program today; we do credit researchers who want credit, and we say thank you properly.
Safe harbor
We will not pursue legal action for research that stays within this policy: act in good faith, access only what is needed to demonstrate the issue, do not read or modify other customers’ data beyond the minimum proof, do not degrade the service, and give us reasonable time to fix the issue before any public disclosure.
Out of scope
- Denial of service and volumetric testing
- Social engineering of our staff or customers
- Physical attacks and attacks on third-party services we use
- Reports from automated scanners without a demonstrated impact
Where to look first
The security overview describes the architecture: database-enforced tenant isolation, signed short-lived downloads, audit logging, and the rest. The isolation boundary is the crown jewel; if you find a way across it, we want to know the same day.