Security

Security and Vulnerability Disclosure

How to report a security vulnerability in PartWise, and what to expect from us in return.

Our commitment

PartWise helps people through one of the hardest periods of their lives, and the security of what they store with us is the foundation of the product. We welcome good-faith security research and want to hear about vulnerabilities before anyone else does. This page explains what is in scope, how to report, and what you can expect from us.

Scope

In scope:

  • https://www.partwise.com.au, including its API routes
  • The PartWise web application and its client-side encryption implementation

Out of scope:

  • Third-party services PartWise relies on (Vercel, Clerk, Supabase, Stripe, Google, Microsoft, Anthropic, Resend, PostHog, Sentry, BetterStack, GitHub). Report vulnerabilities in those platforms to the relevant vendor under their own disclosure programme.
  • Findings that require physical access to a user's device, social engineering of PartWise or its users, or stolen credentials
  • Denial of service, volumetric, or resource-exhaustion testing of any kind
  • Automated scanner output submitted without a demonstrated, reproducible impact
  • Reports concerning the presence of publicly intended values (for example, publishable API keys that are public by design)

If you are unsure whether something is in scope, ask first at support@partwise.com.au.

Ground rules for testing

  • Use your own test account. Do not access, modify, or delete data belonging to any other user.
  • If you encounter personal data belonging to anyone other than yourself, stop immediately, do not retain or share it, and report what happened.
  • Use exploits only to the minimum extent needed to demonstrate that a vulnerability exists. Do not use a finding to pivot, persist, exfiltrate data, or degrade the service.
  • Do not run denial-of-service tests, and keep automated scanning to a reasonable rate.
  • Give us a reasonable opportunity to fix an issue before any public disclosure.

Safe harbour

Security research conducted in good faith and in accordance with this policy is authorised. We will not initiate or recommend legal action against you for research that complies with this policy, and we will work with you openly to understand and resolve what you find. This authorisation does not extend to the out-of-scope third-party platforms listed above, which we cannot authorise testing of.

How to report

Email support@partwise.com.au with as much of the following as you can:

  • A description of the vulnerability and where you found it
  • The potential impact as you understand it
  • Steps to reproduce, including scripts or screenshots where helpful
  • Any constraints on your availability for follow-up questions

Reports may be submitted anonymously, although we cannot keep you updated without a contact address. Please report in English if possible.

What you can expect from us

  • Acknowledgement of your report within five business days
  • An honest assessment of the report and regular updates while we investigate and fix
  • Credit for your finding if you would like it, once a fix has shipped
  • Coordinated disclosure: we ask for up to 90 days to remediate before public disclosure, and in practice aim to be much faster. We do not currently operate a paid bug bounty programme.

PartWise is a product of Find Your Difference Pty Ltd (ABN 27 622 504 705), based in Sydney, Australia. Security reports are always welcome at support@partwise.com.au.