Last updated: 1 June 2026. This page is written for a New Zealand business context and is not legal advice.
Contents
- What to report
- Not authorised
- Safe detail to include
- Response
- No bounty promise
1. What to report
- Authentication, session, email-code, password, invite, role, or account takeover weaknesses.
- Broken access control affecting client, staff, affiliate, freelancer, admin, file, payment, quote, domain, booking, studio, or marketing records.
- Exposed D1, R2, KV, Queue, AI request, Vectorize, Stripe, Microsoft, GitHub, Cloudflare, Resend, or other provider data.
- Insecure file upload/download paths, signed URL issues, private media exposure, malware upload risk, or file type/size bypass.
- Payment, Stripe webhook, invoice, manual payment, referral reward, affiliate, domain, Turnstile, rate-limit, or form abuse weaknesses.
2. What is not authorised
- Denial-of-service, destructive scanning, brute force, credential stuffing, phishing, social engineering, malware deployment, spam waves, forced browsing at scale, persistence testing, data exfiltration, or accessing unrelated customer records.
- Testing Stripe live payments, Microsoft accounts, Cloudflare accounts, registrar accounts, email provider accounts, or customer domains without written authorisation.
- Public disclosure before we have had a reasonable opportunity to assess and remediate the issue.
3. Safe detail to include
- Affected URL, endpoint, page, form, workflow, file area, account role, or provider integration.
- Clear reproduction steps that do not expose customer data or disrupt service.
- Date, time, timezone, browser/device, account role used, request samples with secrets removed, screenshots, and a concise impact explanation.
4. Our response
We aim to review security reports reasonably, assess severity, contain risk, preserve evidence, involve providers where needed, update controls, and communicate where appropriate. Timing depends on severity, reproducibility, provider involvement, legal obligations, and operational risk.
5. Legal reservation and no bounty promise
This page does not authorise unrestricted testing, unauthorised access, disruption, privacy breaches, or criminal conduct. We do not currently promise a bug bounty, reward, public credit, fixed response time, or disclosure timeline.