Report security vulnerabilities privately so they can be investigated quickly.

How to report

• Include the affected URL, workflow, or endpoint, a clear description of the issue, reproduction steps, timestamps, and the impact you observed or expect.
• Send proof of concept material only when it is necessary to validate the issue and keep it limited to the minimum data needed to explain the report.
• If the issue could expose customer, account, or personal data, call that out clearly in the report so triage can prioritize it correctly.
• Please do not disclose the issue publicly before DutyClaims has had a reasonable opportunity to investigate and remediate it.

Good-faith testing boundaries

• Act in good faith and avoid privacy violations, data destruction, service disruption, or social engineering.
• Do not access, modify, download, or retain data that does not belong to you beyond what is strictly necessary to demonstrate the issue.
• Do not run high-volume automated scans or destructive tests against production systems without prior written coordination.

Canonical disclosure locations

• Primary path: https://app.dutyclaims.com/.well-known/security.txt
• Root fallback: https://app.dutyclaims.com/security.txt
• Policy page: https://docs.dutyclaims.com/security

DutyClaims publishes the same reporting contact and policy details in both /.well-known/security.txt and /security.txt so automated discovery and manual lookup point to the same instructions.

What helps triage fastest

• The exact hostname, environment, and authenticated role or partner context involved.
• The smallest reliable set of steps needed to reproduce the issue.
• The security impact you expect, especially if auth, data exposure, or privilege boundaries are involved.
• Any request IDs, correlation IDs, timestamps, screenshots, or sanitized logs that help confirm the behavior.