Responsible disclosure policy
Applies to: Passwork Cloud, Passwork On-Premise, browser extensions, mobile apps, API, and documentation.
Security matters to us. If you've found something that could affect Passwork's security or our users' data, we want to hear about it. This policy explains how to report vulnerabilities responsibly and what you can expect from us in return.
What we promise
When you report a vulnerability following these guidelines:
- We'll respond quickly. You'll hear back from us within 5 business days, usually sooner.
- We'll keep you in the loop. We'll update you on our progress and work with you on disclosure timing.
- No legal trouble. If you're acting in good faith and following this policy, we won't take legal action against you. Period.
In scope
Feel free to test these:
- Passwork Cloud (public instance)
- Passwork On-Premise (your own licensed installation)
- Browser extensions
- Mobile apps
- API and web client
- Documentation and public websites
Not sure if something's fair game? Drop us a line at [email protected] before you start.
Ground rules
Some things are off-limits to keep our users safe:
- Don't touch real user data. No accessing, modifying, or deleting anyone else's information.
- No DoS attacks. Volume attacks, aggressive scanning, or anything that degrades service performance.
- No social engineering. Don't phish our employees or customers.
- No physical attacks. Our infrastructure, offices, and equipment are off-limits.
- Go easy on automated scanners. They can cause problems for Passwork Cloud, so avoid them there.
- Keep impact minimal. Only go as far as you need to prove the vulnerability exists.
How to report
Send your report to [email protected]
Please include:
- What you found and how it works
- Steps to reproduce it
- Your assessment of the potential impact
- Proof of concept (screenshots, video, code)
- Your IP address (helps us check our logs)
- How you'd like to be credited (if at all)
We accept reports in English.
The process
- You send us the details
- We acknowledge receipt (within 5 business days)
- We validate and investigate the issue
- We develop a fix
- We let you know when it's resolved
- We coordinate on public disclosure (typically 30-90 days after the fix)
What we're looking for
- Authentication bypass or session hijacking
- Encryption bypass (client or server-side)
- Privilege escalation
- API authorization issues
- Code execution vulnerabilities
- SQL/NoSQL injection
- XSS, CSRF, SSRF
- RCE in on-premise installations
- Sensitive information disclosure
- Logic flaws that compromise security
- Broken access controls
- Password or TOTP exposure
Out of scope
We focus on real, exploitable vulnerabilities that could actually harm our users. Security recommendations are welcome, but they're not treated as vulnerabilities unless you can show how they lead to a concrete problem.
Please don't report these:
- Email configuration issues (SPF/DKIM/DMARC)
- Missing security headers without a working exploit
- Rate limiting without demonstrated risk
- Clickjacking on non-sensitive pages
- General security best practices or recommendations
- Outdated dependencies or vulnerable packages unless you can demonstrate actual exploitation in Passwork
- Issues requiring physical or root access to user devices
Safe harbor
If you follow this policy and act in good faith, your security research is authorized. We won't pursue legal action, and we'll work to minimize third-party legal claims.
This protection doesn't cover actions that:
- Harm users or access their data
- Disrupt our services
- Break laws beyond legitimate security testing
Recognition
We keep a Hall of Fame for researchers who've helped improve Passwork's security. Let us know in your report if you'd like to be listed.
Contact
- Security team: [email protected]
- Help Center: passwork.pro/help/
Last updated: December 2025