How to report a security issue in Workfied — and the promise we make to researchers who do.
Last updated · July 06, 2026
Keeping your work logs safe is core to what Workfied does. If you're a security researcher and you've found a vulnerability in our Services, we want to hear about it. This policy explains what's in scope, the rules of engagement, and the safe harbor we extend to good-faith research.
Found something? Email security@workfied.com with a clear description, reproduction steps, and a working proof of concept. We'll acknowledge your report within 5 business days and share an initial assessment within 15 business days.
1. Reporting a vulnerability
If you believe you've found a security vulnerability in Workfied, please report it to security@workfied.com. To help us assess and fix the issue quickly, include:
A detailed description of the vulnerability and its potential impact;
Clear, step-by-step reproduction instructions; and
Supporting evidence — a demonstrable proof of concept showing how the vulnerability can be concretely exploited.
Theoretical scenarios without a working, reproducible proof of concept will not qualify for review. We will acknowledge your report within 5 business days and provide an initial assessment within 15 business days.
2. Scope
The following are in scope for this policy:
The Workfied mobile applications (iOS and Android);
The Workfied web application and dashboard;
Workfied backend and API services;
Authentication and authorization flows; and
The handling and storage of user content — your work logs and the documents generated from them.
3. Out of scope
The following are out of scope:
Third-party services and integrations (for example, our payment processors, analytics, and authentication providers) — report those to the relevant provider;
Workfied's marketing and documentation pages (the static www.workfied.com website); and
Findings produced by automated scanners without a demonstrated proof of concept.
4. Ineligible findings
In addition to a standard baseline of commonly excluded, low-severity report types, the following are not eligible:
Attacks requiring local device access — vulnerabilities that need physical access to a device, installation of software, reading of environment variables or memory, or extraction of hardcoded keys from application binaries.
Write-only telemetry tokens — exposure of client-side ingest tokens for analytics services.
Low-impact configuration issues — missing HTTP security headers or SSL/TLS configuration preferences without a demonstrated attack.
Other common exclusions — denial-of-service (DoS) attacks, social engineering, brute-force attacks, clickjacking, content spoofing, account or username enumeration, and previously reported or publicly known issues.
5. Rules of engagement
When researching, please:
Test only your own account and data;
Never access, modify, or delete another user's data;
Avoid disrupting our services or degrading the experience for other users;
Avoid denial-of-service testing;
Never conduct social engineering against our staff or users; and
Give us a reasonable amount of time to remediate before any public disclosure.
6. Safe harbor
If you conduct security research and disclose vulnerabilities in accordance with this policy, we consider your activities to be authorized. We will not pursue legal action against you for good-faith research that follows these rules, and we'll work with you to understand and resolve the issue quickly.
7. Recognition
We may offer recognition or compensation for valid, high-impact findings at our discretion. Workfied does not currently run a formal paid bug-bounty program.