Security & Vulnerability Disclosure

Last updated: June 18, 2026

We take the security of FollowUpEasy and our users' data seriously, and we welcome reports from security researchers. We will work with you in good faith to verify and fix valid issues.

Reporting a vulnerability

Email dave@followupeasy.com. Reports may be submitted anonymously. We acknowledge receipt within three (3) business days and will keep you updated on validation and remediation.

Please include:

  • A clear description of the issue and its potential impact
  • Where you found it (URL / endpoint / parameter)
  • Step-by-step reproduction (proof-of-concept, scripts, or screenshots help)

Scope

In scope: the FollowUpEasy web application and API at www.followupeasy.com.

Out of scope (report to the relevant vendor): third-party services we rely on — Google / Gmail, Anthropic, Stripe, Render, Resend, PostHog, Cloudflare, and Gravatar — as well as findings requiring a compromised device or a man-in-the-middle position you control, and automated-scanner output with no demonstrated, exploitable impact.

Safe harbor

We will not pursue or support legal action against researchers who, in good faith, discover and report a vulnerability in accordance with this policy. We consider such research authorized.

Guidelines

  • Report any suspected vulnerability promptly after discovery.
  • Give us reasonable time to remediate before any public disclosure (see below).
  • Avoid privacy violations, data destruction, and service degradation or interruption.
  • Only interact with accounts you own or have explicit permission to test. Never access Gmail data belonging to anyone but yourself.
  • Use exploits only to the minimum extent needed to confirm an issue — do not pivot, escalate, persist, or exfiltrate data.
  • If you encounter any user data or credentials, stop, do not retain or disclose it, and tell us immediately.

Testing that is not authorized

  • Denial-of-service (DoS/DDoS) or volumetric/stress testing
  • Social engineering, phishing, or vishing of our users, operator, or vendors
  • Physical attacks
  • Spam or high volumes of low-quality automated reports

Disclosure

Please keep your report confidential until we confirm a fix. We request a coordinated disclosure window of up to 90 days and are happy to credit reporters who wish to be named.