Background shape

Security Disclosure Policy

We welcome responsible disclosure of security vulnerabilities affecting Postipy AI. If you believe you found a security issue, please report it to us and we will investigate promptly.

Last updated: April 13, 2026

Our commitment

Postipy AI handles account data, LinkedIn integration tokens, and user-generated content. We take the security of that data seriously and work continuously to reduce risk across our application, infrastructure, and third-party integrations. This policy explains how security researchers can report vulnerabilities and what we expect from responsible disclosure.

How to report

Send details to notifications@postipy.com. Include reproduction steps, affected URLs or API endpoints, proof of concept, and the potential impact on users or data.

Please encrypt sensitive details if needed and avoid including live credentials in your report. We may ask follow-up questions to reproduce and validate the issue before remediation.

What to include

  • A clear description of the vulnerability and affected component.
  • Step-by-step instructions to reproduce the issue.
  • Screenshots, logs, or request/response samples where helpful.
  • Your assessment of severity and suggested mitigation, if available.

Safe harbor

We will not pursue legal action for good-faith security research that avoids privacy violations, service disruption, and data destruction, and follows this policy. Researchers should not access, modify, or delete data belonging to other users, and should stop testing once a vulnerability is confirmed.

Out of scope

  • Social engineering, phishing, or physical attacks.
  • Denial-of-service testing or spam.
  • Automated scanning that materially degrades service performance.
  • Reports based solely on missing security headers without demonstrated exploitability.
  • Issues in third-party services outside Postipy AI's control.

Response targets

We aim to acknowledge valid reports quickly and keep reporters informed as we investigate and remediate. Timelines may vary based on severity and complexity.

  • Acknowledgement within 3 business days.
  • Status update within 10 business days.
  • Remediation prioritization based on risk to users and data.

Related policies

For data handling practices, see our Privacy Policy. For third-party providers that process data on our behalf, see Subprocessors.

Back to Home