Skip to main content
OpenSettle
Start building
Legal

Vulnerability Disclosure Policy

Effective 2026-05-12

OpenSettle welcomes security research. This policy tells you what is in scope, how to report, and what you can expect back from us. If you are testing in good faith and follow the rules below, we will not pursue civil action against you or report you to law enforcement.

In scope. Production opensettle.io (marketing site and dashboard), api.opensettle.io and its documented public endpoints, and our published SDKs (@opensettle/sdk on npm, opensettle on PyPI, opensettle-sdk-go via the Go module proxy, opensettle on crates.io). Vulnerabilities in our core authentication, payment-intent issuance, webhook signing, and tenant-isolation code paths are the highest priority.

Out of scope. Third-party services we depend on (report to the relevant vendor); social engineering of OpenSettle staff, contractors, or family; physical attacks against offices or hardware; denial-of-service testing, volumetric load testing, or any test designed to degrade service for other users; reports based solely on automated scanner output without a working proof of concept; missing best-practice headers without demonstrated impact; clickjacking on pages with no sensitive action; rate-limit findings on unauthenticated endpoints with no security impact.

How to report. Email security@opensettle.io with a clear description, reproduction steps, and any proof-of-concept code. Mail transits TLS-encrypted to our inbox. We do not yet publish a dedicated PGP key; an OpenSettle PGP key will be published at /.well-known/pgp-key.txt and referenced from this page when available. Please do not file public GitHub issues for security reports. We acknowledge new reports within 72 hours and provide a triage decision within 7 days.

Rules of engagement. Do not exfiltrate data beyond the minimum needed to demonstrate the issue (one record is usually enough; stop there). Do not degrade or interrupt the service for other users. Do not test against merchant workspaces or end-customer payment flows you do not own — create your own free workspace and test against it. Do not access, modify, or destroy data belonging to anyone else. Do not publicly disclose a vulnerability for 90 days after report or until we confirm resolution, whichever comes first; we will work with you on coordinated disclosure if you want to publish.

Severity tiering and target patch SLAs. P0 (active exploitation, broad data exposure, ability to move merchant funds, or full tenant break-out): mitigation within 24 hours. P1 (authentication bypass, vertical or horizontal privilege escalation, significant PII exposure): patch within 7 days. P2 (limited information disclosure, stored XSS in authenticated surface, CSRF on sensitive action): patch within 30 days. P3 (best-practice hardening, low-impact issues): patch within 90 days. We will tell you the assigned severity in our triage response and explain if we disagree with your rating.

Safe harbor. If you make a good-faith effort to comply with this policy during your research, we consider your research to be authorised under the Computer Fraud and Abuse Act and equivalent state and foreign laws, we waive any DMCA claim against you for circumventing technical measures, and we will not pursue civil action or initiate a complaint to law enforcement. We cannot bind third parties; if your research touches a third-party system, you are responsible for getting authorisation from that party. If a third party sues you for research conducted under this policy, we will make this safe-harbor statement available to support your defence.

Acknowledgements. With your consent, we credit researchers who report valid issues in a hall of fame at /security#researchers (also available via security@opensettle.io). You may stay anonymous if you prefer. Credit includes the issue summary, severity, your handle or name, and the resolution date.

Bounties. We do not pay cash bounties today. We want to be honest about that rather than dangle a vague promise. What we offer now: public acknowledgement, OpenSettle credits applied to your workspace, and swag where shippable. When funding allows, we will launch a paid bounty programme and pay retroactively for material findings reported under this policy; we will announce on this page when that happens.

Questions. For policy clarifications (not for reports), write to security@opensettle.io with subject line "VDP question".

This document is the current published version of the policy. Outside-counsel review is in progress and revisions will be announced on this page. For operational questions, contact support@opensettle.io.