New ABN and GST lookups are live alongside PPSR. Read docs
Hoist AIAssets
Sign in / Sign up
HomeSecurity
Security

Security reports get a clear path.

Found a security issue? Tell us and we will act. The plain security posture lives at /trust/security; this page is the reporting path.

Last updated 2026-06-08Responsible disclosure
Disclosure policy

This page explains how to report a suspected security issue, what is in scope, what we need from you, and how we respond.

Report

Send reproducible detail

Tell us what happened, what you expected, and the impact in your own words.

Scope

Public service surfaces

Reports about account access, paid-search approval, result integrity, and connected-tool boundaries are in scope.

Response

Fast triage

We acknowledge reports within 24 hours and triage within 3 business days.

How to report

Use the current contact route at /contact/. Do not send secrets through the public intake until an operator-supplied PGP key is published in /.well-known/security.txt.

What to include

  • Steps we can follow to reproduce the issue.
  • Expected vs actual behaviour.
  • Impact assessment in your own words.
  • Your name (or pseudonym) for credit, if you want it.

Our response

  • Acknowledgement within 24 hours.
  • Triage within 3 business days.
  • Fix for critical issues within 7 days; lower severity within 30 days.
  • Public disclosure within 30 days of fix, coordinated with you.

Scope

In scope: Hoist public service hosts, the dashboard, account pages, public APIs, public SDKs, connected AI-tool access, and the Hoist Connector.

Connected-tool issues we want to hear about:

  • A connected tool can access more than the human user approved.
  • A paid search can run without the required price confirmation.
  • A person-search boundary can be bypassed by changing fields, prompts, or connected-tool settings.
  • A returned Evidence Pack can be changed without detection.
  • Access approved for one connected client can be reused by another.

Out of scope (please don't): denial-of-service attacks, social engineering of our staff, third-party services (Cloudflare, Stripe, Clerk - report to them), the AI host applications themselves (Claude Desktop, ChatGPT, Cursor, etc. - report those to their respective vendors).

Support vs security

Account access, billing, setup help, and questions about a search result are support requests. Use /contact/ for those too, but mark security reports clearly so they go to triage first.

Bounty

We pay A$50 to A$2,500 for valid reports, depending on severity. Email us first if your report platform charges a submission fee.

Safe harbour

Good-faith research won't trigger legal action from us. We won't pursue prosecution for security testing conducted within scope and consistent with this policy.

Next step

Need product or account help?

Security reports and support requests can both start through the contact route. Mark security reports clearly so they go to triage first.

Contact Hoist Read Security Posture