Skip to main content
023d02h48mStart the scan
Atamataxatamatax.
Run the free scan

Security

Vulnerability Disclosure Policy

Effective May 23, 2026 · Companion to /.well-known/security.txt

Atamatax handles US federal tax-return data, brokerage holdings, and payment information for US citizens and green-card holders abroad. We take that responsibility seriously and welcome reports from independent researchers who help us keep customer data safe.

Reporting a vulnerability

Email security@atamatax.com with:

  • A clear description of the issue and where you found it.
  • Steps to reproduce — proof-of-concept code, screenshots, or HTTP request/response captures are welcome.
  • Impact — what an attacker could do, and any user data that would be exposed.
  • Your name or handle for the acknowledgments page (optional).

We aim to acknowledge new reports within 2 business days and provide a substantive triage update within 5 business days.

Scope

  • www.atamatax.com and any sub-paths served by Atamatax.
  • The Atamatax API surface under /api/*.
  • Authentication, session, and payment flows.

Out of scope

  • Findings that require physical access, social engineering of our staff or customers, or compromise of a customer's personal device or account credentials.
  • Volumetric DoS / DDoS testing, automated scanner output without a demonstrated impact, and missing best-practice headers without a concrete exploit.
  • Vulnerabilities in third-party services we use (Vercel, Supabase, Stripe, Plaid, Resend, PostHog) — please report those to the vendor directly.
  • Test/staging hostnames (e.g. preview deployments).

Safe-harbor terms

When you make a good-faith effort to comply with this policy, Atamatax will:

  • Treat your research as authorised access and not pursue or support legal action against you.
  • Work with you to understand and resolve the issue before any public disclosure.
  • Recognise your contribution (with your permission) on our acknowledgments page.

To stay in good-faith scope, please:

  • Only test against accounts you own or accounts the account holder has authorised you to test.
  • Avoid accessing, modifying, or deleting other customers' data. Stop testing as soon as you confirm a finding.
  • Do not run automated scans that degrade the service.
  • Do not publicly disclose the vulnerability before we've had a reasonable opportunity to remediate (90 days from triage is our default ceiling).

Bounty

We do not currently run a paid bug-bounty programme. We acknowledge every valid report publicly and personally — we'll add a formal bounty once volume warrants it.

Encryption

PGP key for sensitive reports is available on request from security@atamatax.com.