Security & Responsible Disclosure | Heista

heista ~ $ cat security_disclosure.md

── version 2026.05.11 · stable ──

Found something? Tell us.

reply within 48h · fix within 90d · safe harbour for good-faith research

Email support@heista.co

01 / report

email_template.txt

Send to support@heista.co with the subject line Security Disclosure. Include:

Clear description of the issue and its impact.
Reproduction steps — affected URL, headers, payloads, expected vs. actual.
PoC code or screenshots if applicable. Do not include real customer data.
Your name or handle if you'd like credit when we ship the fix.

machine-readable contact: /.well-known/security.txt

02 / in scope

targets.allow

https://www.heista.co + heista.co
/api/v1/* + /api/mcp/*
/.well-known/* (OAuth + MCP discovery)
MCP server registered as co.heista/api
Public repos at github.com/Heista-co

most wanted

auth bypass · cross-org data leakage · SSRF · prompt injection escaping its boundary · spending-cap bypass · billing math errors · sensitive data exposure · XSS / SQLi / RCE · supply-chain risk

03 / out of scope

targets.deny

Volumetric / DoS testing.
Social engineering of staff or customers.
Physical attacks (we're remote-first).
Automated-scanner findings with no demonstrated impact (CSP suggestions, missing headers without exploit, "clickjacking" on read-only pages).
Self-XSS, version disclosure, theoretical CRLF.
Issues in third-party infrastructure, payment, or AI providers we use — please report those directly to the upstream vendor, not to us.
Email spoofing without a credential-stealing chain.
Anything that affects another customer's account or violates our Terms.

04 / timeline

disclosure_window = 90d

t+0

You report

Email lands in support@heista.co

t+48h

We acknowledge

Reply confirming receipt + tracking ID

t+7d

We confirm

Reproduce + assign severity + share fix ETA

t+90d

We ship

Fix deployed (faster for criticals — often 24-72h)

t+90d+

You publish

Public write-up at your discretion (heads-up appreciated)

05 / safe harbour

we_will_not_sue

We will not pursue legal action against good-faith security researchers who:

Avoid privacy violations, data destruction, or service disruption in good faith.
Test only against accounts they own or have explicit permission for.
Report findings privately to support@heista.co before disclosing publicly.
Stay within the 90-day disclosure window above.
Stay within scope as defined on this page.

Research conducted in line with this policy is authorised under the Australian Privacy Act 1988 and the U.S. Computer Fraud and Abuse Act. We will not bring a claim for circumventing protections that you needed to circumvent in order to demonstrate a vulnerability.

06 / bounty

payout = 0 · recognition = always

We don't pay cash bounties yet. We're a small team and ship fixes faster than we'd run a formal program. What we will do:

Credit you on this page (with your permission).
Send Heista swag if/when we have any.
Complimentary year of paid Heista usage as thanks for higher-severity findings.

We may revisit this once we're larger. If you'd prefer to be paid for your time, please be upfront — we'll either decline respectfully or work something out.

07 / hall of fame

acknowledgments[]

No findings reported yet.

When the first one lands and is fixed, the researcher (with their permission) gets acknowledged here.