Legal · Responsible Disclosure

Responsible Disclosure Policy

Last updated: 13 July 2026

We welcome reports from security researchers. This Policy sets out how to test Sovereign Suite responsibly, what is in scope, and how we will respond.

1. Reporting a vulnerability

Email security@sovereignsuite.com.au with a description of the issue, the affected endpoint or component, a proof of concept, and any suggested remediation. Encrypt sensitive detail on request. We will acknowledge receipt within two business days.

2. Safe harbour

If you make a good-faith effort to comply with this Policy, we will not pursue civil action against you for the testing and we will treat your research as authorised for the purposes of the Acceptable Use Policy. Safe harbour does not extend to breaches of Australian law or the rights of third parties.

3. Rules of engagement

  • Only test accounts and evidence you own or have written authority to test.
  • Do not access, alter or exfiltrate other users' data or Ledger entries.
  • Do not run denial-of-service, brute-force credential attacks, or destructive tests against production.
  • Do not submit unlawful content as part of testing (see the Acceptable Use Policy).
  • Give us a reasonable opportunity to remediate before any public disclosure — typically 90 days from the acknowledgement date.

4. In scope

  • The Sovereign Suite web application at sovereignsuite.com.au.
  • The public receipt verifier.
  • Documented server-side APIs.
  • The Ledger integrity and Receipt-signing surfaces.

5. Out of scope

  • Third-party services (for example, Paddle checkout pages).
  • Social-engineering attacks against staff or contractors.
  • Reports based solely on missing best-practice headers without a demonstrated impact.
  • Vulnerabilities in end-user browsers, extensions, or dependencies we do not control.

6. Recognition

With your consent we will credit valid reports on the Security Statement page. We do not currently operate a paid bug-bounty programme, but we may offer discretionary rewards for high-impact findings.

Full compliance pack: legal index.

Provided as compliance-oriented documentation for the Sovereign Suite platform. Review with Australian legal counsel before publishing. Not legal advice.