Security

Email security@ringdispatch.com with a description of the issue, steps to reproduce, and the potential impact. Include any proof-of-concept code or screenshots inline or as attachments.

If the issue is sensitive (e.g. account takeover, data exposure), please do notopen a public GitHub issue or post on social media until we've had a chance to fix it. We aim to acknowledge within 2 business days and resolve critical issues within 30 days.

• The production deployment at ringdispatch.com and subdomains.
• Our public API endpoints under /api/*.
• Authentication, authorization, and tenant-isolation issues (cross-tenant data access, privilege escalation, session fixation, etc.).
• Caller-data exposure or recording-policy violations.

• Reports generated solely by automated scanners with no demonstrated impact (e.g. “missing security header” with no exploit path).
• Self-XSS, clickjacking on pages that don't expose actions, or social-engineering attacks against our team or customers.
• Issues in third-party services we integrate with — report those directly to Anthropic, Twilio, ElevenLabs, or Stripe.
• Denial-of-service or rate-limit testing against production. Use your own dev tenant if you need to test at load.

As long as you make a good-faith effort to comply with this policy, we will not initiate legal action and will treat the research as authorized under applicable computer-misuse laws. If a third party brings action against you for activities conducted in accordance with this policy, we will make that authorization known.