If you've found a security issue in List Mantis, thank you. Please report it privately by emailing security@listmantis.com. We'll acknowledge your report within 72 hours.
Please don't open a public GitHub issue, post in social media, or otherwise disclose the finding publicly before we've had a chance to fix it.
Scope
In scope
listmantis.com— marketing site, auth, and APIstaging.listmantis.com- The native iOS app (once published on the App Store)
Out of scope
- Third-party services we depend on — Stripe, SMTP2GO, Hetzner Cloud infrastructure below our VM, OpenStreetMap tile servers, Capacitor plugins.
- Denial-of-service or volumetric attacks.
- Findings requiring physical access to our infrastructure or social engineering of staff.
- Missing security headers without a demonstrated exploit path.
- Automated-scanner output without context, or best-practice deviations with no security impact.
Bounty
We don't run a formal bug-bounty programme yet. For valid, non-trivial findings we'll offer a thank-you payment of £50–£500 depending on severity, paid by bank transfer.
Critical findings (remote code execution, full data leak, authentication bypass) land at the higher end of that range. We'll happily credit you publicly with your permission.
Safe harbour
Good-faith security research within the stated scope is permitted. We won't pursue legal action against researchers who:
- Stay within the scope above.
- Don't access, modify, or destroy other users' data.
- Don't degrade service for other users (no automated scanning at a rate that would affect availability, no destructive testing).
- Report findings to us as soon as you can reproducibly confirm them.
- Give us a reasonable window to remediate before any public disclosure — we aim for 90 days, faster on critical.
Process
- You email security@listmantis.com with reproduction steps.
- We acknowledge within 72 hours.
- We triage and propose a fix timeline.
- We confirm the fix, agree on disclosure timing, and arrange payment.
Reference
security.txt: /.well-known/security.txt (RFC 9116)- Repository policy:
SECURITY.mdon GitHub