PolicyWatcher Security

Vulnerability Disclosure Policy

We take security seriously. If you discover a security vulnerability in our platform, please report it to us responsibly.

Security Controls in the 3.5 Confidence Track

PolicyWatcher documents security and confidence work as operational evidence within a defined certification boundary. The current release includes:

Session and API BoundariesHMAC-signed admin sessions, rate-limited login, bearer-protected internal routes and production seed endpoint lockout.
Renderer IsolationOptional VPS renderer for script-rendered pages, protected by shared secret and SSRF validation for URLs, redirects and subresources.
Dataset QA EvidenceSource-fit checks, SHA-256 consistency, check logs, ingestion-method visibility and append-only QA review decisions.
Public Validation SignalsGitHub Quality Gate, CodeQL, OpenSSF Scorecard, OpenSSF Best Practices passing badge and live header scan links.

See Trust & Quality Evidence and Confidence Methodology for the public boundary of these checks.

How to Report

Please send vulnerability reports via email to security@policywatcher.online. To help us triage your report quickly, please include:

  • A description of the vulnerability and its potential impact.
  • Detailed, step-by-step instructions or a proof-of-concept (PoC) to reproduce it.
  • Any suggested remediation steps.

Responsible Disclosure Guidelines

We request that you follow these guidelines to protect our users and system:

  • Give us reasonable time to investigate and mitigate the issue before making it public.
  • Do not access, modify, or delete user data that does not belong to you.
  • Do not perform destructive actions, distributed denial of service (DDoS), or social engineering attacks.

Our Commitment

If you follow the guidelines above, we commit to:

  • Acknowledge receipt of your report in a timely manner.
  • Work quickly to resolve the vulnerability.
  • Not pursue legal action against you.
Report a Vulnerability Return to Homepage