Responsible disclosure

Report a Security Issue

Thank you for taking the time to tell us. The fastest way to reach our security team is by email — we monitor and triage within one UK business day.

Email

[email protected]

If you need PGP, request the current public key in your first email and we will send it to you.

Before you send your report, please read our Vulnerability Disclosure Policy. It explains what is in scope, the safe harbour we offer for good-faith research, and what we will do once your report arrives.

What to include in your report

  • A clear description of the issue and where you found it (URL, parameter, screen)
  • Step-by-step instructions to reproduce, with any payload or sample input
  • The impact: what an attacker could do if this issue were exploited
  • Your preferred name and a way to contact you — email is fine; we will not share this without your consent
  • Optionally, a suggested fix or mitigation

What happens next

  • We acknowledge within 3 UK business days.
  • We triage and tell you our initial assessment within 10 UK business days.
  • We keep you updated through fix and disclosure timing.
  • If the issue is in scope, previously unknown, and reported under our policy, we will credit you on our Hall of Fame (with your consent).

Not a security issue? For product bugs and general questions, use our contact form or email [email protected].