Vulnerability Disclosure
How to report security vulnerabilities to us and what our response and remediation process looks like.
Last updated: December 16, 2025
How to report
If you believe you have discovered a security vulnerability in Workplace.io, email us with details so we can investigate and remediate.
- Email: security@workplace.io
- Include: a description, steps to reproduce, affected URLs/endpoints, and any relevant screenshots or logs.
- Timing: include when you observed the issue and whether it is still reproducible.
Please do not include sensitive data
Avoid sending real customer message content, credentials, tokens, or payment details. If we need additional information, we will
coordinate a secure method to collect it.
Safe harbor
We support good-faith security research intended to protect users and customers. Please avoid actions that could impact other customers,
degrade service availability, or access data beyond what is necessary to demonstrate the issue.
- Do not exploit vulnerabilities beyond what is necessary to confirm the issue.
- Do not access or modify data that does not belong to you.
- Do not perform destructive testing or denial-of-service attacks.
Our response process
We confirm receipt, triage severity, investigate, remediate, and follow up. Timelines depend on severity and complexity.
- Acknowledgement: we confirm receipt and begin triage.
- Triage: we assess severity, impact, and scope.
- Remediation: we implement fixes and validate effectiveness.
- Communication: we may provide updates and coordinate disclosure timing where appropriate.
Disclosure expectations
We ask that researchers provide us an opportunity to remediate issues before public disclosure. If you plan to publish details, coordinate
with us so we can align on a responsible disclosure timeline.