CONFIDANTI

Legal

Security disclosure

Last updated: 2026-05-13

We take security seriously and we appreciate the work of researchers who help keep us — and our customers — safe. This page describes how to report a vulnerability and how we will handle it.

How to report

Email security@confidanti.com. We acknowledge reports within one (1) business day. PGP key fingerprint available on request.

Please include:

  • A clear description of the vulnerability and impact.
  • Reproducible steps, ideally with proof-of-concept payload or recording.
  • The affected URL or endpoint, and the version/commit if you can identify it.
  • Your full name and contact information.

Scope

The following are in-scope for reporting:

  • confidanti.com and any subdomain.
  • The Confidanti web application and its API endpoints.
  • Authentication, authorization, and account-takeover paths.
  • Injection, deserialization, and other classic OWASP-Top-10 class issues.

Out of scope

  • Issues in third-party services we use (Stripe, Resend, Google Cloud) — report those to the provider directly. We will collaborate where helpful.
  • Denial-of-service tests against production. Please coordinate with us first.
  • Reports based purely on scanner output with no demonstrable impact.
  • Missing security headers without a working exploit chain.
  • Self-XSS or issues that require an unrealistic victim configuration.

Our response

  • Acknowledgement: within 1 business day.
  • Initial assessment: within 3 business days.
  • Resolution: we aim to fix critical issues within 7 days, high within 30, medium within 90. We will keep you updated.

Safe harbor

We will not pursue legal action against good-faith researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service interruption.
  • Do not exfiltrate data beyond what is needed to demonstrate the issue.
  • Give us a reasonable chance to fix the issue before public disclosure.
  • Do not exploit the issue for any purpose other than reporting it.

If you are unsure whether your testing falls within these guidelines, email us first.

Other contacts

See also our security.txt file for the canonical contact data and PGP key.