Responsible Disclosure

Last updated: 24 April 2026

1. How to report a vulnerability

If you have discovered a security issue in the PremonIQ platform, marketing site, or supporting infrastructure, please email security@premoniq.com.

A machine-readable version of this contact information is published at /.well-known/security.txt per RFC 9116.

2. What to include

  • A clear description of the issue and its potential impact.
  • Step-by-step reproduction instructions or proof of concept.
  • Affected URLs, endpoints, or components.
  • The version of any browser, client, or tooling you used, where relevant.
  • Whether you believe the issue has been exploited in the wild.

3. What you can expect from us

  • Acknowledgement within two business days of receipt.
  • An initial assessment and indicative remediation timeline within seven business days.
  • Regular updates while we investigate and remediate.
  • Public credit, if you wish, once the issue has been resolved.

4. Scope

In scope:

  • premoniq.com and its subdomains
  • The PremonIQ application platform (authenticated and unauthenticated surfaces)
  • Our API endpoints

Out of scope:

  • Denial-of-service testing, spam, or automated volumetric attacks.
  • Reports derived solely from automated scanners without a working proof of concept.
  • Findings against third-party services we use (please report those upstream to the relevant provider).
  • Social engineering of PremonIQ staff or customers.
  • Physical security of our offices or datacentres.

5. Safe harbour

We will not pursue legal action against researchers who act in good faith, stay within the scope above, avoid privacy violations and service disruption, and give us a reasonable window to remediate before any public disclosure. Please do not access, modify, or exfiltrate data that does not belong to you; use test accounts and synthetic data where possible, and stop and contact us if you suspect you have accessed customer data.

6. Disclosure

We practice coordinated disclosure. Please refrain from publicly disclosing a vulnerability until we have confirmed remediation and, where appropriate, notified affected customers. Our target is remediation or mitigation within 90 days of a valid report; we will communicate promptly if an issue requires longer.

7. Bounty

We do not currently run a paid bug bounty programme but will recognise valid reports with public credit (where desired) and, at our discretion, tokens of appreciation.

8. Questions

For anything else related to security, contact security@premoniq.com.