Security Disclosure Policy
Effective date: April 28, 2026
Permissio, Inc.
1. Purpose
This Security Disclosure Policy explains how security researchers, customers, and users may report suspected vulnerabilities in Permissio systems, and describes Permissio's research rules and safe harbor commitment.
2. How to Report
Send vulnerability reports to security@permissio.us.
Please include:
- A clear description of the vulnerability
- The affected URL, endpoint, feature, or component
- Steps to reproduce the issue
- Potential impact and severity assessment
- Proof-of-concept information, where safe and relevant
- Your contact information for follow-up
Reports may be submitted in English.
3. Research Rules
When conducting security research on Permissio systems, you must:
- Only test against accounts you own or have explicit written authorization to test
- Not access, modify, delete, or exfiltrate data that belongs to other users or customers
- Not disrupt service availability, degrade performance, or affect other users
- Not use social engineering, phishing, physical attacks, or denial-of-service testing
- Stop testing and report immediately if you encounter data belonging to other parties
- Comply with all applicable laws and this Policy
4. Safe Harbor
Permissio will not pursue civil or criminal legal action against good-faith security research that:
- Complies with this Policy
- Does not cause harm to Permissio, its customers, or third parties
- Does not access, retain, or disclose non-public data beyond what is minimally necessary to demonstrate the vulnerability
- Is reported promptly and in good faith
This safe harbor does not authorize activity that violates applicable law or the rights of third parties, and does not extend to activity outside the scope of this Policy.
5. Out of Scope
The following are generally out of scope:
- Missing security headers without demonstrated exploitation impact
- Clickjacking on pages that do not expose sensitive actions or data
- Rate limiting findings without a practical, demonstrated exploit path
- Self-XSS or vulnerabilities that require unlikely or contrived user behavior
- Vulnerabilities in third-party systems not controlled by Permissio
- Reports generated solely by automated scanners without manual validation or demonstration of impact
6. Response Process
Permissio will:
- Acknowledge receipt of your report
- Assess the severity and validity of the reported issue
- Investigate the impact and scope
- Prioritize remediation according to severity
- Communicate materially regarding investigation status and resolution
Permissio does not guarantee public disclosure timelines, rewards, or public recognition for vulnerability reports unless a separate bug bounty program is published.
7. Contact
Security reports: security@permissio.us