Mantle
Home Clients Calendar Tasks
Practice
Tools Email Tracker Resources
Y
You

Mantle

Security Policy

Last updated 2 July 2026

Scope

This policy covers mantleadvise.com and all subdomains operated by Square Peg Financial Pty Ltd (ABN 37 551 147 233) in connection with the Mantle platform.

Reporting a vulnerability

If you believe you've found a security issue, please email [email protected] with a clear description, steps to reproduce, and any relevant logs or screenshots. Encrypted email is welcome — request a PGP key in your first message if you'd like to use one.

We aim to acknowledge reports within two business days and to provide a remediation timeline within five business days for confirmed issues.

Safe harbour

Security research conducted in accordance with this policy is authorised. We will not pursue legal action against researchers who:

  • Act in good faith and avoid privacy violations, service degradation, or disruption to other users;
  • Report the issue promptly and do not disclose it publicly before remediation;
  • Do not access, modify, or exfiltrate any data belonging to clients or the firm beyond what is minimally necessary to demonstrate the vulnerability;
  • Do not perform destructive testing, denial-of-service, social engineering of staff, or physical intrusion.

Out of scope

The following are not eligible for report and will not receive a response:

  • Missing security headers on non-sensitive endpoints;
  • Reports produced solely by automated scanners without a demonstrable impact;
  • Rate-limiting or brute-force issues on public endpoints without a working proof of concept;
  • Social engineering, phishing of staff or clients, or physical attacks;
  • Vulnerabilities in third-party services that we do not operate (e.g. Google, Anthropic, Cloudflare, Supabase, Resend);
  • Findings in the DigitalOcean origin URL (seashell-app-j9csy.ondigitalocean.app) that are already addressed on the canonical mantleadvise.com domain.

Coordinated disclosure

We ask that reporters give us a reasonable window to remediate before public disclosure — typically 90 days from acknowledgement, or sooner if the issue is already remediated. We're happy to credit researchers publicly with permission.

Entity

Mantle is operated by Square Peg Financial Pty Ltd (ABN 37 551 147 233), Suite 201, 429 Bay Street, Brighton VIC 3186, Australia. Square Peg Financial Pty Ltd is a Corporate Authorised Representative (CAR 1283463) of Bombora Advice Pty Ltd (AFSL 439065).

On this page

Scope Reporting a vulnerability Safe harbour Out of scope Coordinated disclosure Entity
Mantle · Privacy · Terms · © 2026 Mantle · Authorised Representative of Bombora Advice Pty Ltd · AFSL 439065