Security disclosure policy

est-invoice is a multi-tenant accounting platform for Vietnamese SMEs. We take security reports seriously. If you believe you have found a vulnerability, please follow the process below.

Reporting

Email [email protected] with:

Please do not include exfiltrated customer data in your report — describe what you could access in general terms.

What to expect

Scope

In-scope: est-invoice.com (production app) and the public verify surface /verify/<documentId>. Out-of-scope: third-party services we link to (Google OAuth, Anthropic API, Resend) — report those to the respective vendors.

Safe harbor

We will not pursue legal action against researchers who:


Last updated 2026-05-16. See also /.well-known/security.txt.