Found a security issue? Email security@mail-organiser.com with details. We commit to acknowledging within 24 hours and working with you in good faith. We do not pursue legal action against responsible researchers.
1. Introduction
BakersGuild Limited is committed to the security of Mail-Organiser and the protection of our users' data. We value the work of the security research community and encourage responsible disclosure of security vulnerabilities. This policy sets out how to report vulnerabilities and what you can expect from us in response.
We operate a coordinated disclosure programme. We ask researchers to give us reasonable time to investigate and address vulnerabilities before public disclosure.
2. Scope
2.1 In Scope
The following assets are in scope for security research:
- The Mail-Organiser API (
api.mail-organiser.com)
- The Mail-Organiser web application (
mail-organiser.com and all subdomains)
- The Outlook add-in (task pane)
- The authentication flow and JWT handling
- Microsoft Graph API integration
2.2 Out of Scope
The following are explicitly out of scope. Issues in these areas should be reported to the relevant third party directly:
- Microsoft's infrastructure, Azure, or Microsoft 365 (report to Microsoft)
- Cloudflare's infrastructure (report to Cloudflare)
- Anthropic's API or Claude models (report to Anthropic)
- Stripe's payment infrastructure (report to Stripe)
- Vulnerabilities in third-party libraries that have not yet been patched upstream
- Social engineering or phishing attacks targeting Mail-Organiser staff
- Physical security of our offices or personnel
- Denial of service attacks
3. Eligibility
To be eligible for our responsible disclosure programme:
- You must be the first to report the specific vulnerability
- You must comply with the rules set out in this policy
- You must not be employed by BakersGuild Limited or a contractor actively engaged with us
- You must be at least 18 years of age (or have parental consent)
- You must not reside in a country subject to UK financial sanctions
4. Rules of Engagement
When conducting security research on Mail-Organiser systems, you must:
- Only test against your own accounts and data — never access or modify other users' data
- Use test accounts created specifically for security research
- Avoid any activity that could harm the availability or performance of the service for other users
- Not exfiltrate any user data beyond what is minimally necessary to demonstrate the vulnerability
- Not exploit the vulnerability for financial gain or to harm users
- Not disclose the vulnerability publicly until we have had a reasonable opportunity to address it (see timeline below)
- Stop testing immediately and notify us if you unexpectedly encounter other users' data
5. How to Report
Submit vulnerability reports by email to security@mail-organiser.com. Please include:
- Description: A clear description of the vulnerability and its potential impact
- Reproduction steps: Step-by-step instructions to reproduce the issue
- Affected component: The URL, endpoint, or feature affected
- Proof of concept: Code, screenshots, or other evidence (where applicable)
- Your contact details: For follow-up questions (email address or pseudonym)
- Preferred disclosure timeline: When you intend to publish, if at all
You may encrypt your report using our PGP key if the content is particularly sensitive. Contact security@mail-organiser.com for our current PGP fingerprint.
6. Our Response Timeline
Day 1
We acknowledge receipt of your report and assign a tracking reference
Day 5
We provide an initial severity assessment and expected resolution timeline
Day 30
Target for resolution of high-severity vulnerabilities
Day 90
Target for resolution of medium-severity vulnerabilities. We request public disclosure not before this date unless severity warrants earlier action.
Post-fix
We notify you when the fix is deployed and coordinate public disclosure if desired
We may request extensions to these timelines for complex vulnerabilities. We will keep you informed of progress throughout.
7. Severity Classification
We classify vulnerabilities using the following severity levels:
- Critical: Remote code execution, authentication bypass, mass data exposure
- High: Unauthorised access to user data, account takeover, significant security control bypass
- Medium: Privilege escalation, limited data disclosure, CSRF without significant impact
- Low: Information disclosure, minor security misconfigurations
8. What We Ask of You
- Give us reasonable time to investigate and fix the issue before publishing
- Avoid testing that could harm other users' data or service availability
- Act in good faith — we will do the same
9. Our Commitments to You
- We will acknowledge your report within 24 business hours
- We will not pursue legal action against researchers who act in good faith and comply with this policy
- We will keep you informed of the status of your report
- We will credit you in any public disclosure (unless you prefer anonymity)
- We will notify you when the vulnerability has been resolved
We do not currently offer monetary bug bounties, but we are grateful for the contribution of security researchers and may introduce a formal bounty programme in future.
10. Legal Safe Harbour
BakersGuild Limited will not initiate legal action against any security researcher who:
- Complies with this Vulnerability Disclosure Policy
- Acts in good faith and does not exploit vulnerabilities for personal gain
- Does not access, modify, or exfiltrate user data beyond what is necessary to demonstrate the vulnerability
- Gives us reasonable time to address the vulnerability before disclosure
We consider responsible security research a valuable service and appreciate researchers who help us improve the security of Mail-Organiser.
11. Contact
Security disclosures: security@mail-organiser.com
General security questions: security@mail-organiser.com