Security
Responsible Disclosure
We take security seriously. If you've discovered a vulnerability in Invoice Navigator, we want to hear from you.
In Scope
- invoicenavigator.eu and all subdomains
- API endpoints (api.invoicenavigator.eu)
- Authentication and session management
- Data handling and storage
- Invoice validation processing
Out of Scope
- Denial of service attacks
- Social engineering or phishing
- Physical attacks against our infrastructure
- Third-party services we use (report to them directly)
- Vulnerabilities requiring unlikely user interaction
How to Report
Send your findings to:
security@invoicenavigator.euPlease include:
1Description of the vulnerability
2Steps to reproduce the issue
3Potential impact assessment
4Proof-of-concept code (if applicable)
5Your contact information for follow-up
Our Commitment
24h
Initial Response
We'll acknowledge receipt of your report
72h
Triage Complete
We'll confirm the vulnerability and assess severity
90d
Disclosure Timeline
We request 90 days to fix before public disclosure
Safe Harbor
We will not pursue legal action against security researchers who:
- Act in good faith to avoid privacy violations, data destruction, and service disruption
- Only interact with accounts you own or have explicit permission to test
- Report vulnerabilities promptly and don't publicly disclose before we've fixed them
- Don't exploit the vulnerability beyond what's necessary to demonstrate it
Recognition
While we don't currently offer a bug bounty program, we're happy to:
- Publicly acknowledge your contribution (with your permission)
- Provide a letter of acknowledgment for your portfolio
- Keep you informed about the fix and timeline