Vulnerability Disclosure Policy

Current as of November 25, 2019.

Purpose of this document

The safety of our customers and the services we provide them is a priority at Sellsy. As a service provider strongly linked to personal and administrative data (CRM, billing, accounting), security is at the heart of each of our developments.

Despite this particular attention, some vulnerabilities may remain in our products.

The purpose of this document is to describe our policy regarding vulnerability, formalising our commitment to security and our acknowledgement of the efforts of the security community.


— Any element of the Sellsy application (web interface, API, etc.)

— The services present on the domains:

Rules regarding disclosure

Sellsy undertakes not to prosecute the parties submitting vulnerability reports when the declarant(s):

  • Perform security research without harming Sellsy or its customers, employees or contractors
  • Do not use, disclose, or modify any data obtained as part of this research
  • Do not perform any action affecting the smooth operation of the services
  • Do not perform a denial of service attack

Identified vulnerabilities should be the subject of a detailed report, written in English.

The report must present a real proof of vulnerability as well as the steps necessary to reproduce the flaw.

No personal data should appear in the report.

The declarant(s) undertake not to publicly disclose the flaw without the express agreement of Sellsy.

The report should be sent at [email protected] and encrypted with the PGP key available here: responsible-disclosure-pgp-key.txt

NB: the email [email protected] is for the sole purpose of collecting vulnerability reports. All other requests must be sent to [email protected].


Sellsy is committed to providing an answer to the declarants.

If the reported vulnerability is proven, financial compensation may be awarded to the declarants at Sellsy’s discretion.

Similarly, the declarant may be credited on a public page managed by Sellsy.