Responsible Disclosure Policy
Helping us keep Akordans secure
Effective date: 25 March 2026
Akordans takes the security of our platform and our users' data extremely seriously. We welcome reports from security researchers who discover potential vulnerabilities.
Scope
In scope:
- akordans.com and all subdomains
- api.akordans.com
- The Akordans web and mobile applications
- Our API endpoints
Out of scope:
- Third-party services (Stripe, Resend, Anthropic)
- Social engineering or phishing attacks
- Physical security
- Denial of service (DoS/DDoS) attacks
- Automated scanning without prior approval
What to Report
We are particularly interested in:
| Vulnerability Type | Examples |
|---|---|
| Authentication issues | Broken login, session fixation, JWT vulnerabilities |
| Authorisation issues | Accessing other users' data, privilege escalation |
| Data exposure | Unintended exposure of personal or case data |
| Injection attacks | SQL injection, XSS, command injection |
| API security | Insecure endpoints, missing rate limiting, IDOR |
| CSRF | Missing or bypassable CSRF protection |
How to Report
Email: security@akordans.com
Please include in your report:
- A clear description of the vulnerability
- Step-by-step instructions to reproduce it
- The potential impact if exploited
- Any proof-of-concept code or screenshots
- Your suggested fix (optional but appreciated)
For sensitive reports, request our PGP key before sending.
Our Commitments to You
| Commitment | Timeline |
|---|---|
| Acknowledge your report | Within 48 hours |
| Provide a status update | Within 7 days |
| Resolve critical vulnerabilities | Within 30 days |
| Notify you when resolved | Upon fix deployment |
We commit to:
- Not pursuing legal action against researchers acting in good faith
- Crediting you in our security acknowledgements (if you wish)
- Keeping you informed throughout the resolution process
Rules of Engagement
To qualify for responsible disclosure protections, you must:
- ✅ Only test on accounts you own or have explicit permission to test
- ✅ Stop immediately if you encounter any personal data
- ✅ Report findings promptly and privately
- ✅ Give us reasonable time to respond before public disclosure
- ❌ Not access, modify, or delete other users' data
- ❌ Not perform denial of service testing
- ❌ Not use automated scanners without prior written approval
- ❌ Not publicly disclose before we have resolved the issue
Security Acknowledgements
We maintain a Hall of Fame for researchers who responsibly disclose valid vulnerabilities. We do not currently offer monetary bounties but are considering a formal bug bounty programme.
Contact
Security issues: security@akordans.com General enquiries: support@akordans.com Response time: within 48 hours for security reports