Vulnerability disclosure
If you've found a vulnerability in OneBookPlus, please tell us. We'll read your report, respond, and credit your work if you'd like.
We treat reports from external security researchers as a benefit, not a threat. This page tells you how to reach us, what's in and out of scope, and what you can expect from us in return.
How to report
Preferred: email [email protected].
Backup: [email protected] if security@ is unreachable.
Please include:
- A short description of the vulnerability and what an attacker could do with it.
- Steps to reproduce: URLs, request bodies, screenshots, video — whatever helps us see what you saw.
- Your name or pseudonym, and how you'd like to be credited (or "no credit" if you prefer).
If your report contains sensitive proof and you want to encrypt it, email us first — we'll send back a per-conversation public key. A persistent PGP key is on our roadmap.
Please don't
- Don't post the vulnerability publicly, on social media, or in a Git issue before we've had a reasonable chance to fix it.
- Don't run automated scanners against the production site. They burn capacity for other users and rarely surface findings beyond what a thoughtful manual look already does.
- Don't view, copy, retain, or transmit personal information beyond what's needed to demonstrate the vulnerability. Stop at "I can read this, but I'm not going to."
What's in scope
- The OneBookPlus app at
https://onebookplus.com.auand subdomains. - Server-side APIs at
https://onebookplus.com.au/api/*. - Public tenant sites at
https://*.onebookplus.com.auand customer-configured custom domains pointing at OneBookPlus. - Authentication and session-handling, including MFA flows.
- Tenant isolation (row-level security boundaries between tenants).
- TLS / encryption-in-transit configuration.
- The SBR / ATO transmission path.
- Vulnerabilities in third-party dependencies as included in OneBookPlus, where the impact materialises in our app.
What's out of scope
- Third-party services we use — Supabase, Vercel, Cloudflare, Resend, Stripe, AWS, the ATO SBR endpoints. Please report those to the respective providers.
- Denial-of-service or volumetric attacks — describe them in writing instead of demonstrating them.
- Social engineering of OneBookPlus staff or customers.
- Physical access to anyone's devices or premises.
- Best-practice findings without a concrete exploitation path (e.g. "you're missing this header" with no demonstrated impact).
- Self-XSS that requires the victim to paste attacker-supplied input into their own browser console.
- Findings against non-production environments (
evte.*,*.vercel.apppreviews, dev) unless you can reproduce against production.
If you're not sure, email us first at [email protected]. We're happy to discuss before you start.
Safe harbour
We will not pursue legal action against you, nor refer your activity to law enforcement, for security research conducted in good faith and consistent with this page. Specifically:
- Activity within this scope is not a violation of the OneBookPlus Terms of Service.
- We will not treat such activity as a Criminal Code Act 1995 (Cth) Part 10.7 (computer offences) violation, where research stops at first discovery rather than escalating into data exfiltration or impact.
- We will not treat it as a Privacy Act 1988 (Cth) violation where you have not viewed, copied, retained, transmitted or used personal information beyond what is necessary to demonstrate the vulnerability.
This safe harbour applies only when:
- You report privately first (see "How to report").
- You respect the out-of-scope list.
- You don't engage in fraud, extortion, or causing harm to OneBookPlus or its users.
What you can expect from us
| Stage | When | What |
|---|---|---|
| Acknowledgement | Within 3 business days | We've received your report and assigned it a tracking ID. |
| Triage | Within 7 business days | We've reproduced or asked clarifying questions, and given you our initial severity assessment. |
| Status updates | Every 14 days while open | A short note on progress. |
| Resolution | P1 ≤ 30 days · P2 ≤ 90 days · P3 ≤ 180 days from confirmation | Fix deployed; verified with you if you've offered. |
| Credit | Within 14 days of fix | Public acknowledgement (if you want it) on /security/acknowledgments; CVE if applicable. |
If we miss a target, we'll tell you why and reset expectations together. We're a small team — communication is the lever, not bureaucracy.
What we will not do
- We won't try to identify you beyond the contact details you provide.
- We won't share your identity with anyone without your consent, except where required by law.
- We won't threaten you, sue you, or pressure you into silence as long as you follow this policy.
Coordinated disclosure with regulators
If a confirmed vulnerability has resulted in or is likely to result in unauthorised access to tax-related data, the SBR machine credential, or our field-level encryption key, we are required to notify:
- The ATO Digital Partnership Office (under the Operational Security Framework data-breach process).
- The Office of the Australian Information Commissioner, where the breach is eligible under the Notifiable Data Breaches scheme.
We'll let you know when these notifications go out. We won't name you to either regulator without your consent.
Bug bounty?
We don't currently run a paid bug-bounty programme. We welcome your reports anyway and will publicly credit valid findings.
If we add a paid programme in the future, we'll announce it here. We won't retroactively pay for reports made before any paid programme launches.
Machine-readable metadata
For automated tooling: see /.well-known/security.txt (RFC 9116).