Public Information

Security

Responsible disclosure guidance for the Previu website, mobile apps, and production API surfaces.

Last updated: March 10, 2026

1. Reporting a Security Issue

Report vulnerabilities to security@previu.app. Include the affected environment, reproduction steps, impact, and any proof-of-concept material needed to validate the issue.

Good-faith research

If you act in good faith, avoid privacy violations, and do not degrade service availability, we will treat your research as authorized under this policy.

2. Scope

  • previu.app public website and public legal pages.
  • api.previu.app production API endpoints and supported webhook surfaces.
  • Official Previu mobile applications and supported authentication, sync, and billing flows.

3. Out of Scope

  • Social engineering, phishing, or pretexting.
  • Denial-of-service, spam, or availability attacks.
  • Physical attacks or attacks requiring stolen credentials.
  • Automated scans that create service degradation or broad data access.
  • Accessing, modifying, or retaining user data beyond what is strictly necessary to prove an issue.

4. What To Include

  1. The affected URL, endpoint, screen, build, or flow.
  2. Clear reproduction steps and prerequisites.
  3. Expected behavior versus actual behavior.
  4. Observed impact, severity rationale, and data exposure potential.
  5. Supporting payloads, screenshots, logs, or video when useful.

5. Response Targets

  • Initial acknowledgement within 3 business days.
  • Triage update within 7 business days when reproduction succeeds.
  • Remediation timing based on severity, exploitability, and operational risk.

6. Acknowledgments

We appreciate responsible reports that help improve user safety, privacy, and reliability. With researcher consent, we may acknowledge valid reports here after remediation.