Good-faith research, honestly handled
Found something? We want to know. We're a two-person team — responses are personal, not automated, and we take every report seriously.
How to report
Email is the reporting channel right now. Reach us at security@batchrouter.com. We aim to acknowledge within 2 business days and triage within 5.
Email us directly
The security@batchrouter.com inbox reaches the founders directly.
security@batchrouter.comWhat to include
- Affected URL or endpointe.g. POST /v1/quotes/model or batchrouter.com/app/batches
- Steps to reproduceExact sequence that triggers the issue
- Proof of conceptScreenshot, curl command, or minimal code snippet
- Observed vs. expectedWhat happened vs. what should have happened
- Severity assessmentYour read on impact — we'll form our own view too
Scope
We're interested in vulnerabilities on batchrouter.com and api.batchrouter.com. Please don't test on production customer data — use your own account.
In scope
- Authentication or authorisation bypass on api.batchrouter.com
- Cross-tenant data leakage — batch output, API keys, org data
- Webhook signature bypass or forgery
- Injection vulnerabilities: SQL, command, SSRF
- XSS or CSRF leading to account compromise on batchrouter.com
- Privilege escalation: user → admin, or org → platform
- Sensitive data unexpectedly exposed in API responses
Out of scope
- Denial-of-service or rate-limit exhaustion
- Social engineering or phishing of staff
- Issues in third-party services (Stripe, Cloudflare, Resend)
- Automated scanner output with no working proof of concept
- Attacks requiring physical access to a device
- Self-XSS with no realistic attack path
What to expect from us
2 business days
Acknowledgment
We'll confirm we received the report and give it a reference.
5 business days
Triage
We'll confirm whether it's valid and in scope, and agree next steps with you.
Agreed together
Fix timeline
We'll share a realistic fix date and ask you to hold off public disclosure until then.
Safe harbour
We won't pursue legal action against researchers who act in good faith — meaning you don't access or modify data that isn't yours, you don't disrupt service for real users, and you give us reasonable time to fix the issue before going public. We're a small team and we'd rather collaborate than litigate.
Programme status
We keep this page current as the responsible disclosure programme matures.
API-credit rewards
We review valid, in-scope reports for Batchrouter credit awards case by case. There is no cash bounty programme yet.
Researcher credit
We'll credit researchers by name in the public changelog when a fix ships, if they want public acknowledgement.
Status & uptime page
The public status page checks API health today. Dispatch queue status, provider telemetry, and incident history remain internal until a public feed is wired.