Skip to main content

Security Disclosure Policy

Effective date: April 28, 2026

Permissio, Inc.


1. Purpose

This Security Disclosure Policy explains how security researchers, customers, and users may report suspected vulnerabilities in Permissio systems, and describes Permissio's research rules and safe harbor commitment.


2. How to Report

Send vulnerability reports to security@permissio.us.

Please include:

  • A clear description of the vulnerability
  • The affected URL, endpoint, feature, or component
  • Steps to reproduce the issue
  • Potential impact and severity assessment
  • Proof-of-concept information, where safe and relevant
  • Your contact information for follow-up

Reports may be submitted in English.


3. Research Rules

When conducting security research on Permissio systems, you must:

  • Only test against accounts you own or have explicit written authorization to test
  • Not access, modify, delete, or exfiltrate data that belongs to other users or customers
  • Not disrupt service availability, degrade performance, or affect other users
  • Not use social engineering, phishing, physical attacks, or denial-of-service testing
  • Stop testing and report immediately if you encounter data belonging to other parties
  • Comply with all applicable laws and this Policy

4. Safe Harbor

Permissio will not pursue civil or criminal legal action against good-faith security research that:

  • Complies with this Policy
  • Does not cause harm to Permissio, its customers, or third parties
  • Does not access, retain, or disclose non-public data beyond what is minimally necessary to demonstrate the vulnerability
  • Is reported promptly and in good faith

This safe harbor does not authorize activity that violates applicable law or the rights of third parties, and does not extend to activity outside the scope of this Policy.


5. Out of Scope

The following are generally out of scope:

  • Missing security headers without demonstrated exploitation impact
  • Clickjacking on pages that do not expose sensitive actions or data
  • Rate limiting findings without a practical, demonstrated exploit path
  • Self-XSS or vulnerabilities that require unlikely or contrived user behavior
  • Vulnerabilities in third-party systems not controlled by Permissio
  • Reports generated solely by automated scanners without manual validation or demonstration of impact

6. Response Process

Permissio will:

  1. Acknowledge receipt of your report
  2. Assess the severity and validity of the reported issue
  3. Investigate the impact and scope
  4. Prioritize remediation according to severity
  5. Communicate materially regarding investigation status and resolution

Permissio does not guarantee public disclosure timelines, rewards, or public recognition for vulnerability reports unless a separate bug bounty program is published.


7. Contact

Security reports: security@permissio.us