Report a vulnerability, responsibly.

Email security@practicacpd.com.au. Include:

• A description of the issue and its impact.
• Reproduction steps, ideally with a proof-of-concept.
• Any caveats — e.g. whether exploitation requires a specific user role, configuration, or sequence.
• How you'd like to be credited (or to remain anonymous).

Our security.txt is at /.well-known/security.txt.

• practicacpd.com.au and any subdomain we operate.
• The PracticaCPD mobile application (when released).
• Authenticated and unauthenticated functionality on those surfaces.

• Third-party services we use (Supabase, Stripe, Resend, AWS, Netlify, Google Analytics). Report those directly to the providers.
• Social engineering attempts against our users or staff.
• Denial of service, brute-force, or rate-limit testing. We use rate limits intentionally; please don't try to circumvent them.
• Issues that require a malicious admin to exploit (admin role is a single trusted operator and is not part of the threat model).
• Findings without a clear security impact (e.g. missing best-practice headers on static pages with no sensitive content).

• We'll acknowledge your report within five business days.
• We'll keep you updated on triage, remediation, and timing.
• We won't pursue legal action against good-faith researchers who follow this policy — meaning no privacy violations, no data exfiltration beyond minimal proof, no service disruption, and reasonable time before public disclosure.
• We'll publicly credit you (with your consent) once the fix is shipped.

• Don't access, modify, or exfiltrate data that isn't yours beyond the minimum needed to demonstrate the issue.
• Don't disclose the issue publicly until we've had a reasonable time to fix it (typically 90 days, but we'll communicate if longer is needed for a particularly hard fix).
• Don't test on real patient data; create test accounts where possible.

No bug bounty programme at this stage — PracticaCPD is a small operation. We can offer public credit, a written acknowledgement, and the genuine appreciation of a team building a privacy-sensitive product. A paid programme may follow as the platform scales.

If your concern is about privacy practices (data collection, retention, sharing) rather than a security vulnerability, please use support@practicacpd.com.au and reference our Privacy Policy.