Skip to main content
If you’ve found a security vulnerability, please report it privately so we can fix it before it’s public. We’re grateful for responsible disclosure.

How to report

GitHub Security Advisories

Use “Report a vulnerability” on the open-core repository. This is the preferred channel.

Email

If GitHub advisories aren’t available to you, email security@webhook.co.

What to include

  • What you found and where, with enough detail to reproduce it.
  • The impact you think it has.
  • Any proof-of-concept, and how you’d suggest fixing it.

What to expect

We aim to acknowledge reports within a few business days and will keep you updated on progress. Please give us a reasonable window to investigate and ship a fix before any public disclosure. We’re happy to credit reporters who want it.
Please don’t run intrusive testing against production, exfiltrate data, or degrade the service while testing — report what you find and let us reproduce it.