$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →

1 · How to report

Email [email protected] with enough detail to reproduce the issue. Our machine-readable contact is at /.well-known/security.txt (RFC 9116).

2 · Our response commitments

StageTarget
Acknowledge your reportWithin 2 business days
Triage and initial assessmentWithin 5 business days
Progress updatesAt least every 14 days until resolved
Coordinated disclosure windowUp to 90 days, extendable by agreement

3 · In scope

  • The production PayHQ application and admin console, and the API-key-authenticated integration API (POST /v1/integrations/invoices).
  • Mailbox and intake connectors.
  • The document extraction pipeline — including prompt-injection or malformed content delivered through a crafted invoice document. This is a bug class we specifically want reported.

4 · Out of scope

  • Do not test against workspaces or data that are not your own. PayHQ is multi-tenant and holds real supplier bank details — an uninvited cross-tenant probe is a personal-data breach, not a finding. Email us and we will provide an isolated test tenant.
  • Denial-of-service, volumetric, or load testing.
  • Social engineering of our staff, customers, or suppliers.
  • Reports from automated scanners with no demonstrated impact.

5 · Safe harbour

If you make a good-faith effort to comply with this policy during your research, FIT PUP LTD will consider your testing authorised, will not pursue or support legal action against you, and will not report you to law enforcement. If a third party brings action against you for activity conducted under this policy, we will make it known that your actions were authorised.

The UK has no statutory safe harbour for security researchers under the Computer Misuse Act 1990, so we state this commitment explicitly. This policy is governed by the laws of England & Wales. We follow the NCSC Vulnerability Disclosure Toolkit.

Operated by FIT PUP LTD · Company no. 15766852 · ICO ZC064795

Last reviewed 2026-07-13 · Next review by 2026-10-13 · [email protected]