Security & Responsible Disclosure

Reporting a vulnerability

If you discover a security issue impacting Need4Audit infrastructure, user data, or integrations, please notify us immediately. Avoid public disclosure until we confirm a fix.

Guidelines

• Give us reasonable time to respond and remediate before going public.
• Only access data you own or have explicit permission to test.
• Do not run automated scans that could degrade service for other users.
• Never exploit a vulnerability for personal gain.
• Provide clear reproduction steps so we can verify quickly.

Out of scope

The following are generally not considered vulnerabilities:

• Missing SPF/DKIM records.
• Best practice suggestions without clear security impact.
• Automated scan results without proof of exploitability.
• Rate limit bypasses requiring unrealistic traffic volumes.

Thanks

We appreciate the security community’s help in keeping Need4Audit safe and reliable for everyone. Researchers who responsibly disclose valid issues can opt-in to receive recognition once patches ship.