Report a security issue — here's exactly what happens next.
We welcome reports from security researchers and treat them as a gift. This policy tells you how to reach us, what is in and out of scope, how fast we respond, and our commitment not to come after you for good-faith research.
1 · How to report
Email [email protected] with enough detail to reproduce the issue. Our machine-readable contact is at /.well-known/security.txt (RFC 9116).
2 · Our response commitments
| Stage | Target |
|---|---|
| Acknowledge your report | Within 2 business days |
| Triage and initial assessment | Within 5 business days |
| Progress updates | At least every 14 days until resolved |
| Coordinated disclosure window | Up to 90 days, extendable by agreement |
3 · In scope
- The production PayHQ application and admin console, and the API-key-authenticated integration API (
POST /v1/integrations/invoices). - Mailbox and intake connectors.
- The document extraction pipeline — including prompt-injection or malformed content delivered through a crafted invoice document. This is a bug class we specifically want reported.
4 · Out of scope
- Do not test against workspaces or data that are not your own. PayHQ is multi-tenant and holds real supplier bank details — an uninvited cross-tenant probe is a personal-data breach, not a finding. Email us and we will provide an isolated test tenant.
- Denial-of-service, volumetric, or load testing.
- Social engineering of our staff, customers, or suppliers.
- Reports from automated scanners with no demonstrated impact.
5 · Safe harbour
If you make a good-faith effort to comply with this policy during your research, FIT PUP LTD will consider your testing authorised, will not pursue or support legal action against you, and will not report you to law enforcement. If a third party brings action against you for activity conducted under this policy, we will make it known that your actions were authorised.
The UK has no statutory safe harbour for security researchers under the Computer Misuse Act 1990, so we state this commitment explicitly. This policy is governed by the laws of England & Wales. We follow the NCSC Vulnerability Disclosure Toolkit.