Security Reporting
Practiq welcomes responsible security reports from researchers and users. Practiq does not authorize unsolicited testing of production systems. Reports should be based on passive review or issues discovered during normal use unless explicit written authorization has been granted in advance.
What to Include in a Report
Please include:
- Clear step-by-step reproduction instructions
- Affected URLs and endpoints
- Observed impact and potential risk
- Screenshots, request/response details, or logs where safe and necessary
- Any assumptions or preconditions needed to reproduce
Rules of Engagement
You must not:
- Access, modify, delete, retain, or exfiltrate data that is not your own
- Perform unauthorized testing against production systems
- Run broad automated scans, vulnerability spraying, or brute-force activity
- Attempt denial-of-service, load, stress, or disruption testing
- Send spam, phishing, or social engineering messages to customers or staff
- Abuse registration, onboarding, or public forms for bulk or deceptive activity
No Public Bug Bounty
Practiq does not currently operate a public bug bounty program. Payment or reward is not guaranteed. Any compensation must be agreed in writing in advance, before testing or remediation work.
Coordinated Disclosure
Please do not publicly disclose security issues until we confirm remediation is complete. Practiq will review reports, acknowledge valid findings, and coordinate reasonable disclosure timing.
Safe Harbor Limitation
Only activities explicitly authorized in writing by Practiq are in scope for active security testing. Unauthorized activity remains prohibited, even when intended to identify vulnerabilities.
Contact
Send security reports to: security@practiqapp.com