# Responsible disclosure We welcome reports of security vulnerabilities in SwissPay. This page explains how to send one and what you can expect in response. ## How to report Send the report to [**security@swisspay.ai**](mailto:security@swisspay.ai). Include: * A clear description of the vulnerability and where it is. * Steps to reproduce, including any specific account state, URLs, or payloads. * The potential impact — what an attacker could do. * Your name and how you would like to be credited (or not). If the report contains anything sensitive (proof-of-concept payloads, internal data accessed during testing), please encrypt the email. We will accept a PGP-encrypted message on request — reach out for the current public key. ## Our commitment to you * **Acknowledgement** of every report within **2 business days**. * **An initial triage assessment** within **5 business days** — severity, whether we can reproduce, and an indicative timeline. * **Status updates at least every 14 days** until the issue is closed. * **Public credit** in our security advisories (if you want it). ## Scope In scope: * The SwissPay API at `https://staging.swisspay.ai` and any other endpoint we operate. * The SwissPay documentation site (this site). Out of scope: * The infrastructure of our sub-processors — report these to them directly. * Social engineering of SwissPay staff or our customers. * Denial-of-service attacks against any production service. * Reports based on scanner output alone, without a demonstrated vulnerability. * Attacks that require access to a victim's device, account, or network. * Issues in third-party software outside our control (browsers, operating systems, etc.). ## Safe harbour If you act in good faith, follow the rules above, and give us a reasonable chance to fix the issue before publishing, **we will not pursue legal action against you for your research**. This includes: * Not testing beyond what is necessary to demonstrate the vulnerability. * Not accessing or modifying data that is not your own. * Not exfiltrating, retaining, or sharing customer data. * Not exploiting the vulnerability for any purpose other than confirming it exists. ## Disclosure We aim to publish a security advisory after the issue is fixed and our customers have had a reasonable window to update where applicable. Disclosure timing is coordinated with you. We follow a default 90-day disclosure window from initial report — extensions are possible by mutual agreement. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://support.swisspay.ai/security/responsible-disclosure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.