Reporting vulnerabilities
Email info@worklinker.com with details of the issue, steps to reproduce, and the impact. We respond within 48 hours.
We will not pursue legal action against researchers who act in good faith, stay within scope below, and do not access other customers' data.
What we protect
- POPIA-aligned personal data handling for workers and clients.
- Medical and safety data is consent-gated per worker and only visible to the tier the scanner is authorised for.
- Row-level security isolates every client's data on Postgres.
- Two-factor authentication is required for administrators.
- All secrets are rotated at least every 90 days.
In scope
- Any subdomain of 3dprintingwarehouse.co.za serving Filaway.
- Public API endpoints under /api.
- Mobile web experience for drivers, inspectors and workers.
Out of scope
- Social engineering of staff or customers.
- Denial of service, rate limit abuse, volumetric attacks.
- Third-party services we depend on: Supabase, Vercel, Twilio, Upstash, Sentry.
- Issues already documented as known limitations.
Recognition
We do not currently run a paid bug bounty. Valid reports are credited publicly on this page (with your consent) and earn an Filaway thank-you pack.