Skip to content
Impulio

Security

Vulnerability Disclosure Policy

How to report security vulnerabilities to Impulio responsibly.

1. Our commitment

The security of our users and their data is a top priority at Impulio. We appreciate the work of security researchers and treat every responsible disclosure as a partnership. This policy describes how to report a vulnerability, what we will do in return, and the boundaries within which we ask you to test.

2. How to report a vulnerability

Please report suspected vulnerabilities privately, via email:

Email: kontakt@impulio.app

Please use the subject line "Security Vulnerability Report" so we can route your message correctly.

What to include in your report

To help us reproduce and triage the issue quickly, please include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions (URLs, parameters, payloads)
  • Proof of concept code, screenshots or videos where applicable
  • The affected component, environment and any account identifiers you used
  • Your suggested remediation, if you have one
  • How you would like to be credited (or whether you prefer to remain anonymous)

The full machine-readable contact information is available in our security.txt file as required by RFC 9116.

3. What you can expect from us

We aim to handle every report quickly and respectfully. Concretely, we commit to:

  • Acknowledgement within 2 business days after receiving your report.
  • A first assessment within 7 calendar days including whether we can reproduce the issue and how we categorise its severity.
  • Regular status updates while we work on a fix, at least every 14 days.
  • Honest communication about issues we decide not to fix and why.
  • Notification once the issue is resolved so you can verify the fix.

Impulio is operated by a small, owner-led team. We do not run a paid bug bounty program. We do offer public recognition (see below) and will do our best to be a fair partner.

4. Safe harbor

We will not pursue or support legal action against security researchers who:

  • Make a good-faith effort to comply with this policy,
  • Avoid privacy violations, data destruction, service interruption or degradation of our services,
  • Only interact with accounts they own or with explicit permission of the account holder,
  • Do not exfiltrate more data than is necessary to demonstrate the vulnerability, and securely delete any test data afterwards,
  • Give us a reasonable time to investigate and remediate before any public disclosure.

If in doubt about whether a planned test is acceptable, contact us first via the email above. We would much rather answer a question in advance than have a misunderstanding later.

This safe harbor does not waive third-party rights. If your research touches infrastructure or services we do not own (e.g. payment providers, social networks, hosting providers), their separate terms apply and we cannot extend protection there.

5. Scope

The following assets are in scope for vulnerability research under this policy:

  • impulio.app (marketing site and web application)
  • api.impulio.app (REST API backend)
  • impul.io (Link-in-Bio pages)

Vulnerabilities we are especially interested in:

  • Authentication and session management flaws
  • Authorisation bypass, privilege escalation, IDORs
  • Server-side vulnerabilities (RCE, SQLi, SSRF, deserialisation)
  • Stored XSS, CSRF on sensitive actions
  • Sensitive data exposure or insecure direct object references
  • OAuth or social-account-linking flaws affecting our integrations

6. Out of scope

The following are explicitly out of scope and should not be tested:

  • Denial-of-service (DoS / DDoS), traffic flooding, resource-exhaustion attacks
  • Brute-force, credential stuffing or password-spraying attacks
  • Physical attacks, social engineering, phishing against our staff or users
  • Vulnerabilities in third-party services we use (please report to those vendors directly)
  • Reports of missing security headers, weak ciphers or other "best practice" scanner output without a demonstrated impact
  • Self-XSS, clickjacking on pages without sensitive actions, missing SPF/DMARC on non-mail domains
  • Reports from automated scanners without manual verification or reproducible impact

7. Recognition

With your permission, we are happy to publicly credit researchers who help us improve our security in a Hall of Fame on this page. Let us know in your report how you would like to be named (real name, handle or anonymous).

Questions about this policy?

For non-security questions about Impulio please use our contact page. For privacy questions, see our privacy policy.