Vulnerability Disclosure

Updated today

โ€ข

2 min read

Perfect Wiki appreciates the work of the security community in keeping our customers safe. If you believe you've found a security vulnerability in our service, we want to hear from you.

How to report

  • Email: [email protected]
  • Use a clear subject line, e.g. "Security report: <short summary>".
  • Include enough detail to reproduce: URL/endpoint, request payload, steps to reproduce, expected vs. actual behavior, impact, and screenshots or video where helpful.
  • If possible, include suggested mitigation.
  • If you discovered the issue with an automated tool, please reduce noise by validating the finding manually before submitting.

What we commit to

  • Acknowledge receipt of your report within 3 business days.
  • Provide an initial assessment of the report within 10 business days.
  • Keep you informed of remediation progress.
  • Credit you in this page or in our changelog if you wish, once the issue is fixed.
  • Not pursue legal action against researchers who follow the rules below in good faith.

Rules of engagement (safe harbor)

We consider research activities that comply with this policy to be authorized, and will not initiate legal action against you for them. To stay within scope:

  • Do test only against your own account or accounts you have explicit permission to test.
  • Do not access, modify, or exfiltrate data that does not belong to you.
  • Do not perform denial-of-service testing, sustained automated scanning, or brute-force attacks.
  • Do not social-engineer Perfect Wiki personnel, customers, or vendors.
  • Do not publicly disclose the vulnerability until we confirm it is fixed and we have agreed on a disclosure timeline.
  • Do stop testing and contact us if you encounter customer data; do not download or retain it.

Scope

In scope:

  • perfectwiki.com, app.perfectwiki.xyz, api.perfectwiki.xyz, read.perfectwiki.xyz, docs.perfectwiki.com and other Perfect Wiki-operated domains.
  • The Public API, MCP server, and embedded integrations (Microsoft Teams, Slack).

Out of scope:

  • Vulnerabilities only exploitable by social engineering or physical access.
  • Self-XSS or other issues requiring victim cooperation against their own account with no realistic threat path.
  • Missing security headers without a demonstrable exploit.
  • Reports based purely on automated-tool output without a working proof of concept.
  • Issues in third-party sub-processors that are not specific to Perfect Wiki's configuration.

Rewards

Perfect Wiki does not currently operate a paid bug bounty program. We offer recognition and, at our discretion, swag or credit for genuinely impactful findings.

security.txt

A security.txt file is published at /.well-known/security.txt per RFC 9116.

Last reviewed: 2026-05-21.

Related Articles

Was this page helpful?