fieldsmith
← HomeRequest access

Security & Vulnerability Disclosure

Last updated: 2026-06-13

We take the security of Fieldsmith and the businesses that run on it seriously. If you believe you've found a security vulnerability, we want to hear about it. This policy explains how to report one and what you can expect from us. It's the canonical policy referenced by our security.txt.

1. How to report

Email security@fieldsmith.work with:

  • A description of the issue and its potential impact.
  • Clear steps to reproduce (proof-of-concept, requests, screenshots).
  • The affected URL, endpoint, or area of the product.
  • Any account or workspace identifiers you used in testing.

Please report promptly and give us a reasonable chance to remediate before any public disclosure.

2. What to expect from us

  • We'll acknowledge your report within 3 business days.
  • We'll work to validate and triage it, and keep you updated on our progress toward a fix.
  • We're happy to credit you once an issue is resolved, if you'd like to be acknowledged.

3. Safe harbor

We consider security research conducted in good faith and in line with this policy to be authorized. We will not pursue or support legal action against you for such research, and we'll work with you to understand and resolve the issue quickly. If a third party brings legal action against you for activity that complied with this policy, we'll make our authorization known.

4. Scope

In scope:

  • fieldsmith.work and the Fieldsmith web application.
  • Our public API and customer-facing endpoints.

Out of scope — please do not test these:

  • Denial-of-service (DoS/DDoS) or volumetric/load testing.
  • Social engineering, phishing, or physical attacks against our staff, users, or facilities.
  • Spam, or findings from automated scanners without a demonstrated, exploitable impact.
  • Accessing, modifying, or deleting data that isn't yours. Use test accounts and your own workspace; if you encounter someone else's data, stop and report it.
  • Third-party services we use (Stripe, SendGrid, etc.) — report those to the vendor.

5. Rewards

We don't currently run a paid bug-bounty program, but we genuinely appreciate responsible disclosure and will acknowledge researchers who help keep Fieldsmith safe.

6. Contact

Security reports: security@fieldsmith.work. For privacy questions, see our Privacy Policy.