Responsible Disclosure
We value the security community's help in keeping Praxiss and our customers safe. If you've found a vulnerability, we want to hear from you.
Scope
The following assets are in scope for responsible disclosure:
*.praxiss.io - All subdomains of praxiss.io
app.praxiss.io - The Praxiss web application
API endpoints - All API endpoints served by the Praxiss platform
Out of scope:
Social engineering attacks (including phishing) against Praxiss employees or customers
Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
Physical security attacks
Vulnerabilities in third-party services, libraries, or infrastructure providers (e.g., AWS, Resend)
Automated scanning or brute-force attacks
How to Report
Please send your findings to security@praxiss.io. To help us triage and respond as quickly as possible, please include:
A clear description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
The affected URL, endpoint, or component
Your assessment of the severity (critical, high, medium, low)
Any proof-of-concept code, screenshots, or videos
Your contact information for follow-up (email is sufficient)
Encrypted reports: If you'd like to encrypt your report, we can provide a PGP public key on request. Email security@praxiss.io with the subject line "PGP Key Request" and we will respond with our public key.
What We Ask
Allow us a reasonable timeframe to investigate and address the vulnerability before any public disclosure - we ask for a maximum of 90 days from the initial report.
Make a good-faith effort to avoid accessing, modifying, or deleting data belonging to other users or organisations.
Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
Do not use automated tools that could degrade the availability or performance of our services.
Act in good faith and comply with all applicable laws.
What We Commit
Acknowledge receipt of your report within 48 hours.
Provide an initial assessment within 5 business days.
Keep you informed of our progress as we work to resolve the issue.
Credit you publicly as the discoverer (if you wish) once the vulnerability has been resolved.
Notify you when the issue has been fixed and provide details of the resolution.
Safe Harbor
We consider security research conducted in accordance with this policy to be authorised and will not pursue legal action against researchers who:
Act in good faith and in compliance with this policy
Avoid privacy violations, data destruction, or service disruption
Report vulnerabilities directly to us and do not disclose them to third parties before we've had a reasonable opportunity to address them
We will not initiate legal proceedings against security researchers who discover and report vulnerabilities in accordance with this policy. This commitment applies to civil and criminal claims that Praxiss could pursue.
Bug bounty program: We do not currently operate a formal bug bounty program with monetary rewards. However, we are grateful for every report and will publicly credit researchers who wish to be recognised. We may introduce a bounty program in the future.
Ready to report a vulnerability? Reach out to our security team.
security@praxiss.io