Security

Good-faith research, honestly handled

Found something? We want to know. We're a two-person team — responses are personal, not automated, and we take every report seriously.

How to report

Email is the reporting channel right now. Reach us at security@batchrouter.com. We aim to acknowledge within 2 business days and triage within 5.

Email us directly

The security@batchrouter.com inbox reaches the founders directly.

security@batchrouter.com

What to include

  • Affected URL or endpointe.g. POST /v1/quotes/model or batchrouter.com/app/batches
  • Steps to reproduceExact sequence that triggers the issue
  • Proof of conceptScreenshot, curl command, or minimal code snippet
  • Observed vs. expectedWhat happened vs. what should have happened
  • Severity assessmentYour read on impact — we'll form our own view too

Scope

We're interested in vulnerabilities on batchrouter.com and api.batchrouter.com. Please don't test on production customer data — use your own account.

In scope

  • Authentication or authorisation bypass on api.batchrouter.com
  • Cross-tenant data leakage — batch output, API keys, org data
  • Webhook signature bypass or forgery
  • Injection vulnerabilities: SQL, command, SSRF
  • XSS or CSRF leading to account compromise on batchrouter.com
  • Privilege escalation: user → admin, or org → platform
  • Sensitive data unexpectedly exposed in API responses

Out of scope

  • Denial-of-service or rate-limit exhaustion
  • Social engineering or phishing of staff
  • Issues in third-party services (Stripe, Cloudflare, Resend)
  • Automated scanner output with no working proof of concept
  • Attacks requiring physical access to a device
  • Self-XSS with no realistic attack path

What to expect from us

2 business days

Acknowledgment

We'll confirm we received the report and give it a reference.

5 business days

Triage

We'll confirm whether it's valid and in scope, and agree next steps with you.

Agreed together

Fix timeline

We'll share a realistic fix date and ask you to hold off public disclosure until then.

Safe harbour

We won't pursue legal action against researchers who act in good faith — meaning you don't access or modify data that isn't yours, you don't disrupt service for real users, and you give us reasonable time to fix the issue before going public. We're a small team and we'd rather collaborate than litigate.

Programme status

We keep this page current as the responsible disclosure programme matures.

Case by case

API-credit rewards

We review valid, in-scope reports for Batchrouter credit awards case by case. There is no cash bounty programme yet.

Available

Researcher credit

We'll credit researchers by name in the public changelog when a fix ships, if they want public acknowledgement.

Partial

Status & uptime page

The public status page checks API health today. Dispatch queue status, provider telemetry, and incident history remain internal until a public feed is wired.