Responsible Disclosure
Last reviewed: 2 June 2026.
Raposa welcomes good-faith security reports. If you believe you have found a vulnerability in Raposa, email security@raposa.ai with enough detail for us to verify it safely.
Our machine-readable disclosure file is published at /.well-known/security.txt.
How to Report
- A short description of the issue and the affected page, endpoint, or workflow.
- Steps to reproduce the issue without accessing another family’s real data.
- Screenshots, request IDs, or proof-of-concept details when they help us verify the report safely.
- Whether you want to be credited if the issue is valid and we publish a thanks note.
Do not send secrets, private keys, passwords, or personal data unless we explicitly ask for a minimal sample needed to verify the report.
Expected Response Timeline
We aim to:
- Acknowledge security reports within 72 hours.
- Provide an initial assessment or request for more information within 5 working days.
- Keep the reporter updated when the issue is confirmed and actively being remediated.
- Coordinate public disclosure timing after a fix is available, when public disclosure is appropriate.
If a report describes active exploitation or a serious risk to user data, we will prioritise incident response and user protection before public write-ups.
In Scope
Good-faith reports may cover:
- Authentication, session, or access-control flaws.
- Vulnerabilities that expose or modify another user’s care record.
- Stored or reflected cross-site scripting on Raposa-owned surfaces.
- Server-side request forgery, command injection, or similar server-side risks.
- Sensitive data exposure through Raposa-owned applications, APIs, or deployment configuration.
- Security issues in
raposa.ai,preview.raposa.ai,lawyers.raposa.ai, andcustodian-api.raposa.ai.
Use test accounts and your own data. Stop testing and contact us immediately if you unexpectedly encounter another person’s information.
Out of Scope
The following are out of scope unless they demonstrate a clear exploit against Raposa user data or systems:
- Denial-of-service, load testing, or high-volume automated scanning.
- Social engineering, phishing, physical attacks, or attempts against Raposa staff or vendors.
- Spam, content injection that does not create a security impact, or missing security headers without exploitability.
- Reports based only on automated scanner output without a working proof of impact.
- Vulnerabilities in third-party services unless they directly affect Raposa-managed data or configuration.
- Attacks requiring access to a user’s email account, device, or browser extension.
Researcher Conduct
- Do not test against real user records or attempt to access another person’s data.
- Do not publicly disclose the issue until we have had a reasonable chance to investigate and fix it.
- Do not use automated high-volume scanning, denial-of-service techniques, social engineering, physical attacks, or spam.
- Stop testing and contact us immediately if you accidentally encounter personal data.
Credit and Rewards
We do not currently operate a paid bug bounty program. We appreciate responsible reports and may credit researchers who report valid issues responsibly and want to be named.
We will not credit reports that involve extortion, unsafe testing, public disclosure before coordination, or access to real user data beyond what was strictly necessary and immediately reported.
Encryption
We do not currently publish a public GPG key for security@raposa.ai. When an approved public key is available, we will publish it from this page and add an Encryption directive to /.well-known/security.txt.
For broader security and data residency information, see Security and data residency.