Security
Responsible disclosure
Finpliq welcomes responsible reports from security researchers. Please help us protect users by reporting vulnerabilities safely and privately.
Scope
Reports may cover the Finpliq web application, authentication, authorisation, HMRC filing workflows, API routes and public Trust Centre pages. Do not test against HMRC systems, third-party services or customer accounts you do not own.
Safe harbour
Good-faith research that avoids privacy harm, service disruption, data destruction, extortion and public disclosure before remediation will be treated as authorised security research.
How to report
Email security@example.invalid with affected URL, steps to reproduce, impact, screenshots or a safe proof of concept, and your contact details. This address should be configured with NEXT_PUBLIC_SECURITY_CONTACT_EMAIL in production.
Response and disclosure
Finpliq aims to acknowledge valid reports promptly, assess severity, remediate proportionately and coordinate a reasonable disclosure timeline. Finpliq does not currently operate a paid bug bounty programme.
Recognition
Recognition may be offered where appropriate and agreed with the reporter. No financial reward is promised unless a formal programme is introduced.