Skip to content
Welzin

Security · Responsible Disclosure

Responsible Disclosure

Last updated: June 28, 2026

We take the security of our website and products seriously and welcome reports from security researchers acting in good faith. This policy explains how to report a vulnerability to Welzin LLP, what to expect from us, and the boundaries that keep your research safe and lawful.

How to report

Email a detailed report to contact@welzin.aiwith the subject line “Security report”. Please include:

  • a clear description of the issue and its potential impact;
  • the affected URL, product, or endpoint;
  • step-by-step instructions to reproduce it, including any proof-of-concept;
  • your name or handle, if you would like to be credited.

Our commitment

When you report in line with this policy, we will:

  • acknowledge your report within five business days;
  • investigate, keep you informed of our progress, and confirm once the issue is resolved;
  • credit you for the discovery if you wish, once a fix is in place and you agree to disclosure.

Safe harbour

We will not pursue or support legal action against researchers who, in good faith, discover and report a vulnerability under this policy, provided they avoid privacy violations, data destruction, and service disruption, and do not access or modify data beyond what is needed to demonstrate the issue. If in doubt, contact us before testing.

Guidelines

  • Give us a reasonable time to investigate and remediate before any public disclosure.
  • Do not access, store, or share other people’s data; use test accounts you control where possible.
  • Do not run automated scanning that degrades service, denial-of-service tests, or social engineering, phishing, or physical attacks against our staff or facilities.

Out of scope

The following are generally not eligible under this policy:

  • reports from automated tools without a demonstrated, exploitable impact;
  • missing security headers or best-practice suggestions with no concrete vulnerability;
  • denial-of-service, rate-limiting, or volumetric issues;
  • social engineering, phishing, or issues requiring physical access to a user’s device.

Recognition

We do not currently run a paid bug-bounty programme, but we are grateful for every good-faith report and are happy to acknowledge researchers who help us keep Welzin secure.