Skip to main content
Finpliq
Start free

Security

Responsible disclosure

Finpliq welcomes responsible reports from security researchers. Please help us protect users by reporting vulnerabilities safely and privately.

Scope

Reports may cover the Finpliq web application, authentication, authorisation, HMRC filing workflows, API routes and public Trust Centre pages. Do not test against HMRC systems, third-party services or customer accounts you do not own.

Safe harbour

Good-faith research that avoids privacy harm, service disruption, data destruction, extortion and public disclosure before remediation will be treated as authorised security research.

How to report

Email security@example.invalid with affected URL, steps to reproduce, impact, screenshots or a safe proof of concept, and your contact details. This address should be configured with NEXT_PUBLIC_SECURITY_CONTACT_EMAIL in production.

Response and disclosure

Finpliq aims to acknowledge valid reports promptly, assess severity, remediate proportionately and coordinate a reasonable disclosure timeline. Finpliq does not currently operate a paid bug bounty programme.

Recognition

Recognition may be offered where appropriate and agreed with the reporter. No financial reward is promised unless a formal programme is introduced.