Security disclosure policy
est-invoice is a multi-tenant accounting platform for Vietnamese SMEs. We take security reports seriously. If you believe you have found a vulnerability, please follow the process below.
Reporting
Email [email protected] with:
- A clear description of the vulnerability + impact
- Reproduction steps (or a proof-of-concept payload)
- Affected URLs, endpoints, or workflows
- Your name + a contact channel for follow-up
Please do not include exfiltrated customer data in your report — describe what you could access in general terms.
What to expect
- Acknowledgement of receipt within 72 hours
- Triage + severity rating within 7 days
- Fix shipped (HIGH/CRITICAL) within 30 days
- Public credit in the changelog, if you want it
Scope
In-scope: est-invoice.com (production app) and the public verify surface /verify/<documentId>. Out-of-scope: third-party services we link to (Google OAuth, Anthropic API, Resend) — report those to the respective vendors.
Safe harbor
We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations + data destruction
- Don't access or modify data beyond what's needed to demonstrate the issue
- Don't perform DoS / volumetric attacks against production
- Report directly to us before public disclosure (30-day coordination window)
Last updated 2026-05-16. See also /.well-known/security.txt.