Security & vulnerability disclosure.
If you’ve found a security issue in RevenuePoint or anything we run, here’s how to reach us safely. We take every report seriously, respond fast, and credit researchers who help us ship a fix.
Acknowledgement within 1 business day · triage within 5 · fix coordinated end-to-end.
How to report a vulnerability.
Email [email protected]. Encrypt with our PGP key if you can — it’s below. Plain email is fine if you can’t. Don’t use [email protected] for security reports; that inbox isn’t monitored for vulnerabilities.
PGP public key.
Use this key to encrypt sensitive details. The same key is published at github.com/revenuepoint/security. Verify the fingerprint matches before you trust this copy.
- Fingerprint
- 2434 3BBD A0E3 EB11 FB09 E61C BA2C 04DF 4D57 0765
- Identity
- RevenuePoint Security <[email protected]>
- Mirror
- github.com/revenuepoint/security/pgp-key.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBGXw+hgBCADw8fsywGEF8Rbbt7D1/vxcfYxPMxPZnlqY6+TU5/p8zgUWfx0t
g4zICh2X79JbDdnyPXQYY0vdE+kZNfG8VNxgBhyl7pQTmW8KrQXW2/7LRy7Ifg0C
gJPM74uxnhjttcuoT2AKHsypMNoswEMr++LAm6ryAoLybUcjd+EKayJa/AIbMJ4w
d+Gb22d2P+OuM9/0k9MAo52kHXQeANXPU3iUHagtR3P/C+Lm+jrT4xLKTEsOcaDT
FZGya03q/wtW+gXQ3EV8ELS/x8jDbfBPYIO2LQaktszqkiJeWCM2qpZypOryIuGZ
iKTzXUOzp/dIgccsr+zjcQgDE9aaFFCnpAzBABEBAAG0JlRob21hcyBKb25lcyA8
dGhvbWFzQHJldmVudWVwb2ludC5jb20+iQFUBBMBCgA+FiEEJDQ7vaDj6xH7CeYc
uiwE301XB2UFAmXw+hgCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
CgkQuiwE301XB2UZHQf+KOKsH7W8+r+/Hn0JptHoVhizNSXNQ3q54ft9KqfBdC6J
/8FpzpF1isLlfKsg91uHIvlsi/s27L2BCCC5006HK0S6sLjsjhYo4opwrsu9Q3i+
/yXGlNenDO+PInwIwBTRkwvW05MxUssMSECDWnviiwipg06edkrGta/qoDzjsFIn
s3b+6y5zYHxxaoTKwwwfUVL/t/1dsfdVRwh+n5b3VCI9wOglVOzOiF+u2v60bL5K
4q6Xoz3m7z2wVokXoHy2ZX6AuYU4muRha3OOfx00PMHPgSJVxcvXsXEE/CQ8BjOJ
dkbu8MZ4TZl/JmVHIPjSu0TPvwVeHvlnI96Wxv5RJbkBDQRl8PoYAQgApAdcBNEd
eE6DvQnH56DMY0yLV7jpupqFK77CFwcGQ2X1yxOlOrXOlqZXVrQy96mV4WCKD4tH
owRuv0ZWCn4rEPOqVclFZ5HXsZemgV09AsePic/Oxh55hxa4TKq9f080yoT7amdL
oNUNM77JvEIgArCoxyrcZbXV8UkdTn2zqGqwOj/oRYqlIiJLURmZjADLji9lB9Xi
7+qEiN2XSxLQLg5RkLKIinc5xMEXVkJzq+ZnfFESgOvyM89GXEN9EAm5KSeldJI7
GVtmfPhyMWZ2+foFZT3FLmal/u9jBp8heGs+Kniwyx3SWrLlkI/miwcUdC/zbmNf
5z1gmujCLahK4wARAQABiQE8BBgBCgAmFiEEJDQ7vaDj6xH7CeYcuiwE301XB2UF
AmXw+hgCGwwFCQHhM4AACgkQuiwE301XB2WimQf/SvNxHG3NoeqTnDZ/89Xl0jTO
9/KDi1gd8J/TLH6bhQmHPk+hFoMP6wa0z16PE2n1ddXZYGmI4EGtsIDzO9gXIbJ+
xRfUVq9tM1SOo50TiFtTqF7RiU+pMlyHysb0+1fuheemBenkhR2rXKh5+Nwkr6oY
lr7gTPOREFTd23XkxXm5EQuDZ5ZLoUyWbTWj9L8AMd3uQ6Taw+2FReSHJFC6zcq7
eYQB7f1cPdhTELHMRIsYH09+RgtnpfqUxfV/QR3YMncPKbd6yXtpApAqjTeNe2Be
cjHs+UYFBNb7UfeH4WrRotvMJEfkjODBSDTJcQl/giCY1PYhLAUL2smJKAH3Mg==
=JvW7
-----END PGP PUBLIC KEY BLOCK-----What to include.
- A clear description of the issue and why it matters.
- Reproduction steps — URLs, payloads, headers, or accounts you used. Screenshots are welcome.
- Impact — what an attacker could do (data exposure, account takeover, code execution, etc.).
- The affected surface (revenuepoint.com, Foundry Portal, Gateway tenant, NPSP middleware, …).
- Optional: a minimal proof of concept. Please don’t exfiltrate live customer data.
- How you’d like to be credited — name, handle, or anonymous.
What to expect from us.
- Within 1 business day — a real human acknowledges your report. No auto-replies.
- Within 5 business days — triage, severity assessment, and a target window for the fix.
- Through to resolution — a status note at least every 7 days while we work the fix.
- Coordinated disclosure — default 90 days from initial report or fix release, whichever comes first. Credit goes to researchers who follow this policy.
Scope.
In scoperevenuepoint.com and subdomains; Foundry surfaces; Gateway and shipped connectors (Salesforce, SAP, custom REST); npsp-middleware on our supplied images; public APIs at api.revenuepoint.com; authentication, authorisation, tenant isolation, and audit-log integrity; anything that affects customer data confidentiality, integrity, or availability.
Out of scopevolumetric DoS or stress testing; social engineering of staff or customers; physical attacks; spam/phishing without security impact; vulnerabilities in third-party services we depend on (Salesforce, SAP, Stripe, etc.) — please report those to the respective vendor; best-practice findings without demonstrated exploitability (missing headers, version disclosure).
Safe harbor.
We will not pursue legal action against researchers who make a good-faith effort to follow this policy.
That means: report through [email protected]; don’t access more data than necessary to demonstrate the issue; don’t exfiltrate or publicly disclose customer data; don’t degrade service for our customers; give us a reasonable window to ship the fix before publishing.
This policy is intended to be compatible with HackerOne’s safe-harbor language and RFC 9116 (security.txt). If you’re unsure whether something is in scope, ask first.