Security & Support

Your agency administrator is the first point of contact for account, seat, and access questions. For anything else, reach our team at support@maddict.net. Please include your agency name and a clear description of the issue so we can help quickly. We aim to respond within [support SLA] business hours.

We welcome reports from security researchers. If you believe you have found a vulnerability, email security@maddict.net. Our machine-readable policy is published at /.well-known/security.txt.

Please include:

• A clear description of the issue and its potential impact.
• Step-by-step instructions to reproduce it.
• Any proof-of-concept, affected URLs, and your contact details.

We will acknowledge your report within [acknowledgement window] and keep you updated as we investigate and remediate. We ask that you give us a reasonable opportunity to fix an issue before any public disclosure.

We will not pursue legal action against researchers who act in good faith and follow this policy. Good-faith research means you:

• Do not access, modify, or delete data that is not your own.
• Do not degrade, disrupt, or run denial-of-service tests against the Service.
• Do not exfiltrate data, and stop and report as soon as a vulnerability is confirmed.
• Comply with applicable law.

In scope: the Maddict Audience Cloud application and its authentication flows. Out of scope: third-party subprocessor infrastructure (e.g. Supabase, Vercel, Cloudflare, Resend, Sentry), social engineering of staff or users, physical attacks, and volumetric denial-of-service.