PostNext security policy
PostNext takes the security of its web app, MCP server, mobile clients, and the data they handle seriously. If you believe you have found a vulnerability, we want to hear about it.
Reporting a vulnerability
Please emailsecurity@postnext.io with:
- A description of the issue and its potential impact.
- Steps to reproduce, with any proof-of-concept code or screenshots.
- The affected surface (postnext.io, app.postnext.io, mcp.postnext.io, mobile apps, blog).
- Your name or handle for credit, if you want to be acknowledged.
We aim to acknowledge new reports within 3 business days and to keep you updated as we investigate.
In scope
postnext.ioand all subdomains we operate (app.postnext.io,mcp.postnext.io,api-app.postnext.io).- The PostNext MCP server at
mcp.postnext.io/apiand its OAuth surface. - PostNext mobile apps (iOS, Android) when published.
- The PostNext WordPress integration plugin.
Out of scope
- Vulnerabilities in our third-party processors (OpenAI, Google, Stripe, Anthropic, Azure, AWS, the six social platforms) — please report those directly to the vendor.
- Reports requiring physical access to a victim's device, social engineering of PostNext staff, or denial-of-service through traffic volume.
- Issues already publicly disclosed.
- Theoretical issues without a demonstrated impact path.
Safe harbour
If you make a good-faith effort to comply with this policy during your security research, we will consider that research to be authorised, we will work with you to understand and resolve the issue quickly, and we will not pursue or support legal action related to your research.
Coordinated disclosure
We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure. We are happy to credit you in any public advisory once the issue is resolved.
Machine-readable
A/.well-known/security.txt is published per RFC 9116 with the same contact and policy URLs.