Email security reports to security@organismhq.com. Include reproduction steps, affected URLs, impact, and any safe proof of concept.
Report security issues responsibly.
OrganismHQ welcomes good-faith reports about vulnerabilities that could affect users, billing, trust badges, APIs, or project data.
Do not access private accounts, exfiltrate data, run destructive tests, attack providers, spam forms, or attempt social engineering. Reports made in good faith will be reviewed without retaliation.
OrganismHQ aims to acknowledge critical reports within 3 business days and prioritize fixes based on severity, exploitability, and user impact.
In scope: payment entitlement bypass, XSS, broken access control, API key exposure, badge/seal forgery, private data leakage, and authentication/session issues.