Our Cat Herder Our Cat Herder logo
Our Cat Herder
Sign In
Start Free Trial

Vulnerability Disclosure Policy

This policy exists so that if you happen to find a vulnerability in Our Cat Herder, you know how to tell us about it. This is not an invitation to scan, probe, or test our platform. We do not authorise security testing by external parties unless we have agreed to it in writing.

No bug bounty program

We don’t run a bug bounty program and we can’t pay for vulnerability reports. We’re a small company and at this time our security budget goes to professional penetration testing rather than bounties.

If you’ve found a real vulnerability, we do want to know about it. We just can’t pay you for it.

Reporting a vulnerability

Email support@ourcatherder.com with:

  • What the vulnerability is and where it occurs
  • Steps to reproduce it
  • What data or functionality could be affected
  • A working proof-of-concept
  • Your name or handle if you’d like credit (optional)

Reports need to be in English, concise, and must include a proof-of-concept. We won’t look at scanner output, AI-generated writeups, or theoretical findings without a working exploit.

We’ll try to acknowledge valid reports within 14 business days. If we fix the issue, you can be listed in the acknowledgements below.

Rules

  • Only test against your own accounts.
  • No denial-of-service testing, no destroying data, no disrupting other users.
  • Do not publicly disclose any vulnerability without our written consent.
  • Use the minimum access needed to confirm the issue.

Safe harbour

We won’t take legal action against researchers who report in good faith and follow the rules above.

Any testing beyond what’s needed to identify and verify a vulnerability you’ve already found needs our written permission.

Out of scope

We don’t consider these to be reportable vulnerabilities:

  • Missing or misconfigured HTTP headers (CSP, X-Frame-Options, etc.)
  • Missing security attributes on non-sensitive cookies
  • Autocomplete on forms
  • Self-XSS (requires the victim to paste code into their own browser)
  • Username or email enumeration via login, registration, or password reset
  • Version or banner disclosure in server headers
  • Open redirects without a demonstrated attack chain
  • Lack of rate limiting without demonstrated exploitation
  • Vulnerabilities in third-party libraries without a demonstrated exploit path in our application
  • CORS misconfiguration without demonstrated security impact
  • SPF, DKIM, or DMARC email configuration issues
  • Reports about non-production environments
  • Social engineering of staff
  • Physical attacks
  • Denial-of-service

More about how we handle security on our Security page.

Acknowledgements

Thanks to the following researchers for reporting issues to us:

  • No one yet. You could be first.

Last updated January 2026.

Ready to run a better board? Start your free 45-day trial today.

Start a free trial