Back to Trust

Responsible Disclosure Policy

Last updated: 2026-05-08

Socianote (operated by Goodtech Hldgs Pte. Ltd., Singapore) takes the security of our platform and the data trusted to it by social service agencies seriously. If you believe you have found a security vulnerability, please report it to us responsibly.

How to report

Email [email protected] with:

  • A description of the issue and where it was found.
  • Step-by-step reproduction instructions.
  • Any proof-of-concept code, screenshots, or logs that demonstrate the issue.
  • Your name and how you would like to be credited (if at all).

PGP encryption is supported on request — email [email protected] to request our current public key.

Our commitment

  • Initial response: within 72 hours of receipt.
  • Triage outcome: within 7 calendar days (severity, scope, expected timeline).
  • Fix timeline (target): Critical within 7 days, High within 30 days, Medium within 90 days, Low at next planned release.
  • Status updates: every 14 days while the report is open.
  • Resolution notice: when the fix ships, with permission to publish your write-up if you wish.

Scope

In scope

  • The Socianote production application at https://socianote.com and its sub-paths.
  • Socianote API endpoints under https://socianote.com/api/*.
  • Authentication, authorisation, multi-tenant isolation, data exposure, server-side request forgery, injection, and similar classes of issue.

Out of scope

  • Vendor-managed services we depend on (Supabase, Vercel, Resend, Sentry, Upstash) — please report directly to those vendors.
  • Marketing pages, blog content, or third-party links.
  • Findings in customer-uploaded content (those are tenant-owned data, not platform vulnerabilities).
  • Findings that require physical access to a user's device or social-engineering of a Socianote employee.
  • Self-XSS, missing security headers without a demonstrable exploit, descriptive error messages without sensitive data, version disclosure without impact, missing rate limits where a working bypass is not demonstrated.
  • Volumetric / denial-of-service tests. Please do not run these against our production environment.
  • Automated scanner output without a working proof-of-concept.

If you are unsure whether something is in scope, email us first — we would rather have the conversation than miss a real issue.

Safe harbour

We will not pursue legal action against, or report to law enforcement, security researchers who:

  • Make a good-faith effort to comply with this policy.
  • Avoid privacy violations, destruction of data, and disruption to our service.
  • Limit testing to accounts they own or have explicit permission to test.
  • Stop testing and contact us as soon as a vulnerability is identified.
  • Do not publicly disclose the issue before we have had a reasonable opportunity to remediate it (typically 90 days from initial report, or sooner if we agree).

If your research violates the law in your jurisdiction, this safe harbour does not protect you from third-party action.

Bug bounty

We do not currently operate a paid bug bounty programme. We are happy to acknowledge researchers publicly with their permission and may offer recognition in our security credits page once one exists.

Contact

For all security matters: [email protected]

For non-security inquiries (general support, billing, sales): see our website.

Thank you for helping keep Socianote and the people we serve safe.