Security

Vulnerability Disclosure Policy.

If you discover a security vulnerability in Docuplete, we want to hear from you. This page describes how to report it, what to expect from us, and the protections we extend to researchers who report in good faith.

Report a vulnerability Security overview →

How to report

Send your report to security@docuplete.com.

Email security@docuplete.com with a description of the issue
Include steps to reproduce, affected URL or endpoint, and your assessment of impact
We will acknowledge your report within 2 business days
We aim to resolve critical issues within 14 days and all others within 90 days
We will keep you informed as we triage and resolve the issue

Scope

What is in scope.

docuplete.com

The Docuplete marketing site and all pages under it.

docuplete.app

The Docuplete application — org dashboard, client interview forms, signing flows, and the developer API (api.docuplete.com).

Authentication

Issues affecting login, session management, token handling, or account isolation — including cross-tenant data access.

Data exposure

Any vulnerability that could expose client interview answers, generated PDFs, personally identifiable information, or API keys belonging to another organisation.

Document generation

Injection, spoofing, or tampering affecting the PDF generation pipeline, field values, or signed document output.

API security

Broken authentication, authorisation bypass, rate-limit bypass, or HMAC verification weaknesses in the developer API.

Out of scope

What we ask you not to test.

Social engineering

Phishing, vishing, or any attack targeting Docuplete employees or customers rather than the platform itself.

Denial of service

Volumetric or application-layer denial-of-service attacks against production infrastructure.

Third-party services

Vulnerabilities in third-party services we use (Cloudflare, Stripe, Clerk, etc.) should be reported directly to those vendors.

Physical attacks

Attacks requiring physical access to hardware or infrastructure.

Automated scanning noise

Please do not submit raw automated scanner output without a verified, reproducible finding.

Already-known issues

Reports of vulnerabilities we have already acknowledged or that are publicly known without a new angle are out of scope.

Safe harbour

We will not pursue action against good-faith researchers.

Report in good faith — do not exploit the vulnerability beyond what is necessary to demonstrate it
Do not access, modify, or delete data belonging to other users or organisations
Give us a reasonable amount of time to address the issue before public disclosure
Researchers who follow these guidelines will not face legal action from Docuplete
With your permission, we will acknowledge your contribution when we publish a fix

Vulnerability Disclosure Policy.

Send your report to security@docuplete.com.

What is in scope.

docuplete.com

docuplete.app

Authentication

Data exposure

Document generation

API security

What we ask you not to test.

Social engineering

Denial of service

Third-party services

Physical attacks

Automated scanning noise

Already-known issues

We will not pursue action against good-faith researchers.

Found something?
Tell us.

More security features

Vulnerability Disclosure Policy.

Send your report to security@docuplete.com.

What is in scope.

docuplete.com

docuplete.app

Authentication

Data exposure

Document generation

API security

What we ask you not to test.

Social engineering

Denial of service

Third-party services

Physical attacks

Automated scanning noise

Already-known issues

We will not pursue action against good-faith researchers.

Found something?Tell us.

More security features

Found something?
Tell us.