Vulnerability Disclosure

PracticPro values the security research community. If you believe you have found a security vulnerability in our Services, please report it to us so we can fix it.

How to report

Email [email protected] with:

  • A clear description of the issue.
  • Steps to reproduce it (URLs, payloads, accounts used, browser, time).
  • Any proof-of-concept code, screenshots, or video, if helpful.
  • The potential impact you believe it has.
  • Your name and how you would like to be credited (if at all).

We will acknowledge your report within 3 business days and keep you updated on our progress.

Our Commitments to Researchers

If you act in good faith under this policy:

  • We will not take legal action against you or report you to law enforcement for good-faith research that complies with this policy.
  • We will work with you to understand and resolve the issue promptly.
  • We will recognize your contribution if you would like to be credited, after the vulnerability is resolved.
  • We will be transparent with you about progress, expected timelines, and the fix.

What We Ask of You

To stay within this policy:

  • Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our Services.
  • Only interact with accounts you own or have explicit permission from the account holder to test.
  • Do not access, modify, or download data that does not belong to you. If you accidentally encounter such data, stop, do not copy or share it, and report it immediately.
  • Do not exploit a vulnerability beyond the minimum needed to demonstrate it.
  • Do not publicly disclose the vulnerability before it has been fixed and we have agreed on disclosure. Coordinated disclosure benefits everyone.
  • Do not perform tests that could harm PracticPro, its customers, or third parties (no denial of service, no spam, no social engineering of our employees or customers, no physical attacks).
  • Do not use automated scanners against our production systems without prior written authorization.

Scope

In scope

  • practicpro.com - the marketing website.
  • portal.practicpro.com - the authenticated PracticPro application.
  • PracticPro mobile applications, where available.
  • PracticPro's REST API and MCP server.

Out of scope

  • Third-party services and sub-processors we use (Twilio, Telnyx, Stripe, OpenAI, Anthropic, Google, DigitalOcean, Cloudflare, etc.). Report vulnerabilities in those products to the provider directly.
  • Findings from automated tools without verified, exploitable impact.
  • Issues that require physical access to a victim's device.
  • Self-XSS or attacks requiring the victim to paste an attacker-supplied payload into their own browser console.
  • Missing security headers without a demonstrable exploit.
  • Rate-limiting or brute-force findings without a working bypass.
  • Reports based purely on the version of a dependency, without a working exploit.
  • Social engineering of PracticPro employees, customers, or contractors.
  • Denial of service.

What Happens Next

  1. Acknowledgement within 3 business days.
  2. Triage within 10 business days, including a preliminary severity assessment and timeline.
  3. Resolution on a schedule appropriate to severity. We aim to fix critical issues within days, high-severity issues within weeks, and lower-severity issues within the next normal release cycle.
  4. Coordinated disclosure, if you would like to publish details, after the fix is deployed and we have agreed on timing.

Bug Bounty

PracticPro does not currently run a paid bug bounty program. We recognize meaningful contributions on this page (with the researcher's permission) and may offer thank-you gestures at our discretion.

Not a vulnerability, but a privacy concern? Email [email protected] or see our Privacy Policy.

Contact

Security reports: [email protected]

This policy is published in good faith. We may update it from time to time. The current version is always at this URL.

Last updated: May 21, 2026