Security
Security & responsible disclosure
We take the security of Postlane seriously. If you discover a vulnerability, please tell us before telling the world — we commit to a fast, fair response.
Reporting a vulnerability
Open a ticket
Use the contact form and select Security disclosure as the topic. We reply within 24 hours.
Encrypt sensitive details
For payloads or credentials, encrypt before sending. Get our PGP key at /pgp (fingerprint FC2C FF33 AB10 A0E8).
A good report includes: steps to reproduce, the environment (OS, app version, browser), a proof-of-concept or screenshot where safe, and the potential impact. The more detail you provide, the faster we can triage.
What’s in scope
Authentication and authorisation bypass
Remote code execution on postlane.dev or the desktop app
SQL injection or data exfiltration from our servers
Cross-site scripting (XSS) or cross-site request forgery (CSRF) on postlane.dev
Denial of service attacks or resource exhaustion
Social engineering or phishing of Postlane staff
Issues in third-party libraries where no PoC of impact is provided
Missing HTTP security headers with no demonstrated impact
Rate-limiting on non-sensitive endpoints
Vulnerabilities already known and in our backlog
What to expect
Bug bounty
We do not currently offer a paid bug bounty programme. For valid reports we offer a fast response, public credit in our changelog (if you want it), and our genuine gratitude. We hope to launch a formal programme as the product matures.
Good-faith research
We will not pursue legal action against researchers who discover and report security issues in good faith, provided they do not exploit the vulnerability beyond the minimum necessary to demonstrate it, do not access or modify user data, and disclose to us before public release. This is not a blanket authorisation — intentional harm, data theft, or public disclosure before we have had a reasonable opportunity to respond are not covered.