Responsible disclosure programme

Scope

• complystrike.com and its subdomains
• The contact form and any API routes under /api/
• The Sanity Studio at /studio (auth bypass, IDOR, etc.)

Out of scope

• Third-party services (Sanity.io, Cloudflare, Vercel, Resend) — please report to those vendors directly
• Volumetric attacks, denial-of-service, or stress testing
• Reports relying solely on outdated browsers, missing best-practice headers without a clear exploitation path, or theoretical issues without proof of impact
• Social engineering of staff
• Physical attacks against our office

How to report

Email [email protected] with:

• A clear description of the issue and its impact
• Reproduction steps, ideally with screenshots, request captures, or a short video
• The platform / browser you tested on
• Whether you'd like public credit or to remain anonymous

For sensitive reports, request our PGP key and we'll send it.

Our commitment

• Acknowledge your report within 2 business days
• Triage and confirm or dispute the finding within 10 business days
• Aim to remediate confirmed issues within 90 days (sooner for critical)
• Keep you informed throughout, and credit you publicly here once fixed (with your permission)
• Not pursue legal action against researchers acting in good faith within this scope

What we ask in return

• Don't access, modify, or destroy data that isn't yours
• Don't degrade service for other users
• Don't publicly disclose before we've had a chance to remediate
• Use a single test account and your own data for proofs of concept

Hall of fame

Researchers who have helped us improve complystrike.com:

List opens with your report.

Machine-readable

See /.well-known/security.txt (RFC 9116).