Mantle
Security Policy
Last updated 2 July 2026
Scope
This policy covers mantleadvise.com and all subdomains
operated by Square Peg Financial Pty Ltd (ABN 37 551 147 233) in
connection with the Mantle platform.
Reporting a vulnerability
If you believe you've found a security issue, please email [email protected] with a clear description, steps to reproduce, and any relevant logs or screenshots. Encrypted email is welcome — request a PGP key in your first message if you'd like to use one.
We aim to acknowledge reports within two business days and to provide a remediation timeline within five business days for confirmed issues.
Safe harbour
Security research conducted in accordance with this policy is authorised. We will not pursue legal action against researchers who:
- Act in good faith and avoid privacy violations, service degradation, or disruption to other users;
- Report the issue promptly and do not disclose it publicly before remediation;
- Do not access, modify, or exfiltrate any data belonging to clients or the firm beyond what is minimally necessary to demonstrate the vulnerability;
- Do not perform destructive testing, denial-of-service, social engineering of staff, or physical intrusion.
Out of scope
The following are not eligible for report and will not receive a response:
- Missing security headers on non-sensitive endpoints;
- Reports produced solely by automated scanners without a demonstrable impact;
- Rate-limiting or brute-force issues on public endpoints without a working proof of concept;
- Social engineering, phishing of staff or clients, or physical attacks;
- Vulnerabilities in third-party services that we do not operate (e.g. Google, Anthropic, Cloudflare, Supabase, Resend);
- Findings in the DigitalOcean origin URL
(
seashell-app-j9csy.ondigitalocean.app) that are already addressed on the canonicalmantleadvise.comdomain.
Coordinated disclosure
We ask that reporters give us a reasonable window to remediate before public disclosure — typically 90 days from acknowledgement, or sooner if the issue is already remediated. We're happy to credit researchers publicly with permission.
Entity
Mantle is operated by Square Peg Financial Pty Ltd (ABN 37 551 147 233), Suite 201, 429 Bay Street, Brighton VIC 3186, Australia. Square Peg Financial Pty Ltd is a Corporate Authorised Representative (CAR 1283463) of Bombora Advice Pty Ltd (AFSL 439065).