๐Ÿ”’
Security

Security & Responsible Disclosure

PSIP is committed to keeping our platform secure for all users. We welcome reports from security researchers who identify vulnerabilities in good faith and will work with you to resolve them quickly.

Found a vulnerability?

Email us at [email protected]. We will acknowledge your report within 2 business days and aim to provide a full response within 10 business days.

Report a vulnerability

Scope

โœ“ In scope

  • โ–ธpsip.co.uk and all subdomains
  • โ–ธThe PSIP web application and API
  • โ–ธAuthentication and session management
  • โ–ธData isolation between user accounts

โœ— Out of scope

  • โ–ธDenial of service attacks
  • โ–ธSocial engineering of PSIP staff
  • โ–ธPhysical security
  • โ–ธThird-party services (Supabase, Resend โ€” report these to those providers directly)

How to report

1

Email [email protected]

Send your report to our dedicated security address. Please do not report vulnerabilities through public GitHub issues, social media, or other public channels.

2

Include the key details

A clear description of the issue, step-by-step instructions to reproduce it, an assessment of the potential impact, and your contact details for follow-up.

3

Allow us time to respond

We will acknowledge your report within 2 business days. We aim to provide a full response โ€” including our assessment and a fix timeline โ€” within 10 business days.

Our commitments to researchers

โš–๏ธ

No legal action for good faith research

We will not pursue legal action against researchers who discover and report vulnerabilities responsibly, in accordance with this policy.

๐Ÿ“ฌ

We will keep you informed

We will update you as we investigate and resolve the issue. We aim to be transparent about our timelines and findings.

๐Ÿ…

Credit where it is due

We will acknowledge researchers in our release notes for confirmed vulnerabilities, where the researcher chooses to be named.

What we ask of you

  • โ–ธDo not access, modify, or delete other users' data
  • โ–ธDo not disrupt the service or degrade its performance for other users
  • โ–ธReport to us before making any public disclosure, and allow reasonable time for a fix
  • โ–ธAct in good faith โ€” test only against your own account where possible

Security contact

For all security-related reports and enquiries:

[email protected]

Response within 2 business days ยท Full response within 10 business days