We take security seriously. If you discover a vulnerability in Mail-Organiser, we want to hear from you. This policy explains how to report a vulnerability responsibly and what you can expect from us in return.
1. Our commitment to you
We will:
- Acknowledge your report within 3 business days.
- Investigate and provide an initial assessment within 10 business days.
- Keep you informed of progress throughout the remediation process.
- Not pursue legal action against researchers who act in good faith and follow this policy.
- Credit you in our security advisories (if you wish to be named).
- Aim to remediate critical vulnerabilities within 30 days and other vulnerabilities within 90 days.
2. How to report
- Email your report to [email protected].
- Include a clear description of the vulnerability and its potential impact.
- Provide step-by-step reproduction instructions, including any tools used.
- Include screenshots, proof-of-concept code, or network traces where relevant.
- Tell us which systems or URLs are affected.
If the vulnerability is sensitive, you may encrypt your report using our PGP key (available on request).
3. Scope — in scope
- mail-organiser.com and all subdomains
- api.mail-organiser.com (the Mail-Organiser API)
- The Mail-Organiser Outlook add-in
- Cloudflare Workers backing the service
4. Scope — out of scope
- Microsoft Outlook or Microsoft Graph API vulnerabilities — report these to Microsoft MSRC.
- Third-party services (Stripe, Resend, Cloudflare) — report directly to those vendors.
- Denial of service attacks.
- Social engineering or phishing attacks against our staff.
- Physical security issues.
5. Good-faith rules
To qualify for safe harbour under this policy, you must:
- Only test against accounts you own or have explicit written permission to test.
- Not access, modify, or delete data belonging to other users.
- Not disrupt the service or degrade performance for other users.
- Not publicly disclose the vulnerability until we have had the opportunity to remediate it (coordinated disclosure).
- Report promptly and not exploit the vulnerability for any purpose beyond demonstrating it to us.
6. No bug bounty
We do not currently operate a paid bug bounty programme, but we genuinely appreciate responsible disclosures and will acknowledge all valid reports publicly (with your permission).