Legal

Responsible Disclosure

Last updated: 24 May 2026

We welcome reports from security researchers and members of the public who find issues with Impacturi (operated by Clickonic Ltd). This page tells you how to report a vulnerability safely, what we commit to, and what we ask of you in return.

How to report

  • Email security@impacturi.com with a clear description, steps to reproduce, and any proof-of-concept code or screenshots.
  • Encrypt sensitive details with our PGP key on request.
  • Allow us a reasonable time to investigate and remediate before any public disclosure.

Scope

  • In scope: the production site impacturi.com, all subpaths, our public API endpoints, and the Vercel deployment of the Impacturi application.
  • Out of scope: third-party services we integrate with (Supabase, Vercel, Stripe, OpenAI, Anthropic, Resend, Sentry, UptimeRobot, ForwardEmail); social-engineering attacks against staff or pilot charities; physical attacks; denial-of-service testing; and any test that risks live charity or donor data.

What you can expect from us

  • Acknowledgement within 3 working days.
  • A triage update within 10 working days.
  • A remediation plan and timeline for confirmed issues.
  • Public credit in our security history, if you wish, once the fix has shipped.
  • Good-faith handling: we will not pursue legal action against researchers who follow this policy.

What we ask from you

  • Do not access, modify, or delete data that does not belong to you.
  • Do not run automated scanners against the production site at a rate that could degrade service for charities. If you need to scan, contact us first and we will set up a staging environment.
  • Stop testing immediately if you encounter personal data, and report what you saw without retaining a copy.
  • Do not disclose the issue publicly until we have confirmed it is fixed.

Bounty

Impacturi does not currently run a paid bug-bounty programme. We are a small team and our pilot phase is still under way. We will publicly credit valid reports and may offer a small thank-you (a charitable donation in the reporter's name) at our discretion.

Safe harbour

Activities conducted in line with this policy will be considered authorised research. We will not initiate legal action against you, nor ask law enforcement to investigate, provided you act in good faith and follow the rules above.

Contact

security@impacturi.com for security reports.
support@impacturi.com for general support.