Vulnerability Disclosure Policy
Last updated: April 2026
Fifteen54 welcomes responsible security research. If you believe you have found a security vulnerability in our platform, we encourage you to report it so we can address it promptly.
We practise responsible disclosure ourselves, reporting vulnerabilities we discover in third-party software to the relevant vendors before any public disclosure.
Scope
In scope:
- The Fifteen54 web application and API
- Authentication and authorisation mechanisms
- Data exposure or tenant isolation issues
- Cross-site scripting (XSS), injection, or similar web vulnerabilities
Out of scope:
- Social engineering or phishing attacks against Fifteen54 staff or customers
- Denial of service (DoS/DDoS) attacks
- Physical security testing
- Third-party services (AWS, MongoDB Atlas, etc.) — report these to the respective vendor
- Automated scanning that generates excessive traffic
- Vulnerabilities in software we don't control (browsers, operating systems)
How to Report
Email security@fifteen54.com.au with:
- A description of the vulnerability
- Steps to reproduce
- The potential impact as you understand it
- Your contact information (so we can follow up)
Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to address it.
What to Expect
| Step | Timeframe |
|---|---|
| Acknowledgement of your report | Within 72 hours |
| Initial assessment and severity classification | Within 5 business days |
| Resolution target (critical/high severity) | Within 30 days |
| Resolution target (medium/low severity) | Within 90 days |
| Status update if resolution is delayed | Every 14 days |
Safe Harbour
Fifteen54 will not pursue legal action against security researchers who:
- Act in good faith and follow this policy
- Do not access, modify, or delete customer data
- Do not disrupt the availability of the platform
- Report findings promptly and do not publicly disclose before a fix is available
- Do not use findings for personal gain beyond the scope of this policy
Recognition
We are happy to credit researchers who report valid vulnerabilities (with your permission). Let us know in your report if you would like to be acknowledged.
Contact
Email: security@fifteen54.com.au
Security officer: Andrew Miller