Last updated: 22 May 2026
We welcome reports from security researchers. This page describes how to report a vulnerability and what to expect from our response. The machine-readable equivalent following RFC 9116 is at /.well-known/security.txt.
Email security@upinity.com with: a description of the vulnerability, the affected endpoint or component, reproduction steps, and (if applicable) a proof-of-concept. Please do not post vulnerabilities publicly before we've had a chance to acknowledge and fix them.
In scope: upinity.com (marketing site), app.upinity.com (SaaS application), go.powerb.swiss (Mautic instance handling our forms). Out of scope: social engineering or phishing of POWERB staff, denial-of-service or volumetric attacks, vulnerabilities in third-party services we depend on (Stripe, hosting providers — please report directly to them).
We acknowledge new reports within 2 business days. Initial assessment and severity classification within 5 business days. Fix or mitigation timeline depends on severity and is communicated in our acknowledgement reply.
We don't currently operate a paid bug bounty programme. Researchers who report valid vulnerabilities responsibly are credited on a public hall of fame (with their consent) and receive a written acknowledgement letter.
We aim for alignment with SOC 2 controls and ISO 27001 practices. GDPR / Swiss nLPD compliance is detailed in our Privacy Policy. Specific compliance certificates can be requested from sales@upinity.com under NDA.
We will not pursue legal action against researchers who follow this policy, act in good faith, do not access or modify data beyond what is necessary to demonstrate the vulnerability, and do not impact availability of the service.