Report channel
Use the dedicated contact below and include clear reproduction detail so the issue can be triaged quickly.
Responsible Disclosure
Vulnerability Disclosure Policy
How to report a security issue affecting the public SpeakUp website, what is generally in scope, and how we ask researchers to behave.
Last updated: March 30, 2026
Scope
The policy focuses on the public website and closely related public flows, not every third-party system operated by a provider.
Research expectations
Test in good faith, avoid destructive behavior, and do not access or retain data that is not yours.
No bug bounty promise
This public policy is a disclosure path, not a commitment to monetary rewards.
SpeakUp Trust Portal
Privacy, security, vendors, and review materials in one place
Find the key public trust documents, follow-up review materials, and the right next step without bouncing between separate policy pages.
Core documents
If you believe you have discovered a security issue affecting the public SpeakUp website or a closely related public workflow, we appreciate responsible disclosure.
This page explains how to report the issue, what information helps us triage it, and what behavior we expect during security research.
01
What to include in a report
- The affected URL, page, or user flow.
- A clear description of the issue and why it matters.
- Reproduction steps, screenshots, or a minimal proof of concept if available.
- Any prerequisites, browser details, or environment assumptions needed to reproduce the issue.
- A note if you believe personal data or account integrity may be affected.
02
Generally in scope
- Publicly reachable pages and assets on the SpeakUp website.
- Cookie, consent, contact-form, analytics, localization, and embedded-content flows that are part of the public website.
- Misconfigurations that expose sensitive information, weaken access boundaries, or create unintended data exposure.
03
Generally out of scope
- Social engineering, phishing, or physical attacks.
- Spam, denial-of-service testing, traffic flooding, or other disruptive load generation.
- Issues that require access to a third-party provider account that you do not own.
- Reports based only on scanner output without a demonstrated impact path.
- Vulnerabilities in third-party services that do not show a concrete exploit path in the SpeakUp implementation.
04
Research expectations
- Act in good faith and avoid privacy violations, data destruction, or service degradation.
- Do not intentionally access, download, alter, or retain data that does not belong to you.
- Stop testing and contact us once you confirm a meaningful issue.
- Do not publicly disclose the issue before a reasonable opportunity to investigate and remediate it.
05
Safe-harbor intent
- We aim to review good-faith reports and work toward coordinated remediation.
- Research performed consistently with this policy is more helpful to us than silent exploitation or premature public disclosure.
- This policy does not authorize unlawful activity, destructive testing, or access to data beyond what is necessary to demonstrate the issue.
A machine-readable disclosure contact is also published at /.well-known/security.txt.
06
Disclosure contact
Use the address below for responsible disclosure reports affecting the public website or closely related public workflows.
Disclosure contact
contact@speak-up.proTrust Workflow
Need a structured package for legal, privacy, or security review?
Use the Trust Package path when your team needs the next layer beyond the public trust pages.