Security

Report security issues to security@relin.app.

Last updated: April 22, 2026

If you believe you've found a vulnerability in Relin, we want to hear about it quickly and we want you to feel safe telling us.

How to report

Email security@relin.app with a description of the issue, the affected URL or surface, steps to reproduce, and any proof-of-concept you used. Screenshots, logs, and example requests are welcome. You do not need to attach raw customer data — a clear description is more useful.

We will acknowledge your report within two business days and keep you updated through resolution. If the issue is critical and in-flight exploitation is a concern, say so in the subject line and we will prioritize accordingly.

Safe harbor

If you report a vulnerability in good faith and you do not access, modify, exfiltrate, or destroy customer data beyond what is necessary to demonstrate the issue, we will not pursue legal action or report you to law enforcement. This applies to any researcher following this policy.

Do not test account creation or deletion, billing, or deletion sweeps against real customer accounts. Do not run scanners or fuzzers against our production surfaces at rates that could affect customer traffic. Use your own account for testing and let us know what rate you intend to send before starting.

In scope

  • Issues affecting Relin's web surfaces, APIs, MCP endpoints, OAuth flows, ingest and delivery paths, replay, portal, and billing integrations.
  • Authentication, authorization, and workspace isolation bugs.
  • Injection, deserialization, SSRF, and similar classes against Relin-operated services.
  • Issues in signature verification or webhook delivery that could let an attacker forge events or destinations.

Out of scope

  • Social engineering of Relin staff or customers.
  • Denial-of-service, volumetric, or rate-limit abuse testing.
  • Reports that consist of automated scanner output without a validated impact.
  • Issues on third-party services we use; please report those to the third party directly. We will coordinate on items that materially affect Relin customers.

Disclosure

We prefer coordinated disclosure. After a fix ships we will publish a brief advisory naming the researcher if you want credit, and will not name you otherwise.