Draft — under review, not yet in force.
Legal
Security & Disclosure
Last updated June 11, 2026 · Version 1 · Questions? contact us.
If you have found a security vulnerability in Fixnet's products or services, we want to hear from you. This page describes what is in scope, how to reach us, and what you can expect in return.
Scope
This policy covers vulnerabilities in:
- The desktop and web app — the Fixnet macOS app and the browser edition at app.fixa.sh.
- The backend — the sync relay, account and entitlement endpoints, and the store API.
- The marketing and store sites — fixa.sh and store.fixa.sh.
Plugins and MCP servers installed through the store are third-party software; report issues in those to the relevant plugin author. Vulnerabilities in third-party services Fixnet depends on (Supabase, Fly.io, Cloudflare, Paddle) should be reported to those providers directly.
How to report
Email security@fixa.sh with:
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a proof-of-concept. A working exploit is not required; a clear, reproducible description is enough.
- The version or URL of the affected component if known.
- Your preferred contact method and, if you want public credit, the name or handle to use.
We treat all incoming reports as confidential. Please do not disclose the vulnerability publicly until we have confirmed and addressed it (coordinated disclosure).
Our commitments
- Acknowledgement — we will acknowledge your report within 48 hours.
- Updates — we will keep you informed of our progress at least once a week until the issue is resolved.
- No legal action — we will not pursue legal or regulatory action against researchers who discover and report vulnerabilities in good faith within scope. This applies as long as you do not access data beyond what is needed to demonstrate the issue, do not degrade the service for others, and do not disclose the vulnerability before we have had a reasonable opportunity to address it.
- Credit — we will credit you by name or handle in the release notes for the fix, unless you prefer to remain anonymous.
Out of scope
The following are outside the scope of this policy:
- Denial-of-service attacks or any testing that degrades service availability for others.
- Social engineering of Fixnet staff or contractors.
- Physical attacks against infrastructure.
- Vulnerabilities in third-party services — report those to the relevant provider.
- Automated scanner output submitted without a clear description of impact.
No bounty programme
We do not currently operate a paid bug-bounty programme. We offer public credit and our genuine thanks.