Reporting a vulnerability
If you believe you've found a security issue in this site, the triage tool, or any HackFirstAid Municipal asset, please email security@hackfirstaid.com. We acknowledge reports within two business days and aim to triage within five.
Scope
- In scope: municipal.hackfirstaid.com, the triage decision tree, downloadable resources, and our public API endpoints when published.
- In scope (parent): the shared HackFirstAid identity provider and authentication endpoints.
- Out of scope: third-party services we don't operate (calendar booking, email forwarding, analytics provider), denial-of-service testing, social engineering of HackFirstAid staff or customers, physical attacks.
Safe harbour
We will not pursue legal action against good-faith researchers who:
- Make a reasonable effort to avoid privacy violations, service disruption, and data destruction;
- Only interact with accounts they own or have explicit permission to test;
- Give us reasonable time to investigate and resolve before public disclosure (we suggest 90 days, negotiable);
- Do not exploit the issue beyond the minimum necessary to demonstrate it.
What we ask
- Provide enough detail to reproduce: URL, payload, expected vs actual behaviour, browser/device.
- If sensitive data was accessed, stop and tell us β don't download or share it.
- Use coordinated disclosure. We'll credit you publicly if you'd like.
security.txt
Machine-readable contact information lives at /.well-known/security.txt.
Contact: security@hackfirstaid.com.