Vulnerability Disclosure Policy

Email hello@regalign.app with subject line beginning [SECURITY]. Include a clear description, steps to reproduce, the impact you believe it has, and (optionally) your contact details.

• Acknowledgement of receipt: within 2 business days.
• Initial assessment: within 5 business days.
• Remediation or mitigation plan for high-severity issues: within 30 days.

• regalign.app and any subdomain.
• RegAlign-owned *.lovable.app deployments.
• Public API endpoints under /api/public/*.

• Third-party services (please report to that vendor; we can liaise).
• Denial of service, social engineering, physical attacks.
• Automated scanner output without a demonstrated exploit.
• Missing security headers without a concrete exploit path.
• Self-XSS, clickjacking on non-sensitive pages.

If you make a good-faith effort to comply with this policy we will not pursue civil action, support criminal action, or notify law enforcement. We consider your activity authorised under the UK Computer Misuse Act 1990 and the Data Protection Authority (Jersey) Law 2018 to the extent we are entitled to grant that authorisation.

Safe harbour does NOT cover: accessing, modifying, exfiltrating or destroying customer data; degrading service for other users; or sharing the vulnerability with anyone else before we've had a reasonable opportunity to remediate.

We don't operate a paid bug bounty programme today (pre-funding). We credit researchers publicly on this page with your permission, and we will write to your employer, conference or any other reference of your choice confirming the value of your work.

We don't publish a PGP key today. If you need to share sensitive details encrypted in transit, email us first and we'll agree a channel.