Vulnerability disclosure policy

Last updated: 26 May 2026

Joinalyse takes the security of our platform and the integrity of academic research data seriously. If you have found a security issue we want to hear about it so we can fix it quickly. This page explains how to report a vulnerability, what is in scope, what is out of scope, how we respond, and our safe-harbor commitment to researchers who act in good faith.

Reporting a vulnerability

Send vulnerability reports to [email protected]. Include a clear description, steps to reproduce, the affected URL or component, and any proof-of-concept output. Encrypted attachments are welcome. We acknowledge every report within 72 hours and follow up with a triage outcome and a remediation timeline as soon as we have validated the issue.

Email us at [email protected].

A machine-readable version of this policy is published at /.well-known/security.txt.

Scope

The following Joinalyse-controlled assets are in scope for this policy:

  • Every subdomain of joinalyse.com that Joinalyse operates, including app.joinalyse.com and the public marketing site.
  • Joinalyse application code (Nuxt frontend, Directus backend, supporting microservices) running on our infrastructure.
  • Joinalyse-operated services that handle user data, including the survey engine, participant matching, analytics, and email delivery integration.

Out of scope

The items below are not part of this disclosure policy. Please report them to the relevant vendor directly:

  • Vulnerabilities in third-party services we use as sub-processors (Hetzner, Resend, Cloudflare). Report those to the vendor; we publish their security contacts in our trust page.
  • Social-engineering attempts against Joinalyse staff, contractors, or partner universities.
  • Physical attacks against Joinalyse offices, staff, or hosting facilities.
  • Volumetric denial-of-service attacks or stress-testing against production without prior written agreement.
  • Spam, phishing, or mass-mailing run through Joinalyse-hosted forms (handle via our abuse contact instead).

Safe harbor for good-faith research

We will not pursue civil or criminal action against security researchers who report a vulnerability under this policy in good faith. Good faith means: you respect user privacy, you do not modify or destroy data beyond what is needed to demonstrate the issue, you do not deliberately degrade service availability, you give us a reasonable window to fix the issue before public disclosure (90 days is our default), and you do not run automated mass-exploitation scans against our production systems.

  • Respect user privacy. Do not access or exfiltrate personal data beyond the minimum needed to prove the issue, and delete anything you incidentally collect.
  • Do not modify, destroy, or persist data on our systems, and do not pivot to systems outside the declared scope.
  • Do not deliberately degrade availability of the service for other users, and stop testing immediately if you encounter signs of impact.
  • Coordinate disclosure with us. Our default window is 90 days from the first report; we may negotiate a shorter or longer window depending on severity and patch complexity.
  • Do not run automated mass-exploitation, dictionary attacks, or brute-force attempts against production. Targeted manual testing only.

Response timeline

We aim for the following service levels on incoming reports:

  • Initial acknowledgement: within 72 hours of receipt.
  • Triage outcome (confirmed, duplicate, out of scope, more info needed): within 7 calendar days.
  • Remediation plan for confirmed issues: communicated within 14 calendar days, with a target fix window proportional to severity.
  • Status updates: at least every 14 days while a confirmed issue is under remediation.

Acknowledgements

If your report leads to a fix, you may be credited by name on a future security update post (with your consent). Tell us in your report whether you want to be listed publicly, listed under a pseudonym, or stay anonymous. Joinalyse does not currently run a paid bug bounty program.

Contact

All security communications go to [email protected].

For a broader overview of our security and privacy posture, see our Security & Trust page.

← Back to home