Skip to content

Trust & safety

Security disclosure policy

How to report security findings responsibly. Last updated: 16 June 2026.

If you've found a security issue in List Mantis, thank you. Please report it privately by emailing security@listmantis.com. We'll acknowledge your report within 72 hours.

Please don't open a public GitHub issue, post in social media, or otherwise disclose the finding publicly before we've had a chance to fix it.


Scope

In scope

Out of scope


Bounty

We don't run a formal bug-bounty programme yet. For valid, non-trivial findings we'll offer a thank-you payment of £50–£500 depending on severity, paid by bank transfer.

Critical findings (remote code execution, full data leak, authentication bypass) land at the higher end of that range. We'll happily credit you publicly with your permission.


Safe harbour

Good-faith security research within the stated scope is permitted. We won't pursue legal action against researchers who:


Process

  1. You email security@listmantis.com with reproduction steps.
  2. We acknowledge within 72 hours.
  3. We triage and propose a fix timeline.
  4. We confirm the fix, agree on disclosure timing, and arrange payment.

Reference