Sign in Get started

Reporting a security issue

Last updated 21 May 2026

We welcome reports from security researchers, customers, and members of the public who believe they have found a vulnerability in Mia Accounting. This page describes how to report a security issue to us and what you can expect in return.

How to report

Email security@miabazo.com with as much of the following as you can:

  • a description of the issue and the impact you believe it has;
  • the URL, request, or screen on which the issue can be reproduced;
  • step-by-step reproduction instructions and any proof-of-concept payload;
  • your name or handle if you would like to be credited.

Scope

In scope

  • The Mia Accounting web application and its API endpoints.
  • The HMRC OAuth callback handler and any code paths that touch HMRC access or refresh tokens.
  • Authentication, session management, authorisation, and tenant-isolation between businesses.

Out of scope

  • Third-party services we depend on (Microsoft Azure, HMRC, Stripe, SendGrid, GoCardless, Anthropic) — report those to the provider directly.
  • Social-engineering attacks against Mia Accounting staff or customers.
  • Reports based solely on missing best-practice HTTP headers, in the absence of a demonstrable security impact.
  • Denial-of-service testing, volumetric or rate-limit probing.
  • Findings on test or staging hosts that are clearly labelled as such.

What we'll do

  • Acknowledge your report within 2 working days.
  • Triage and confirm or reject the issue within 10 working days.
  • Keep you updated on remediation progress.
  • Credit you publicly (with your permission) once the fix is deployed.

Safe harbour

Provided you act in good faith, stay within the scope above, do not access or modify customer data beyond what is strictly necessary to demonstrate the issue, and give us a reasonable opportunity to remediate before any public disclosure, we will not pursue civil or criminal action against you in respect of your research.

Notifying HMRC

Where a vulnerability relates to data we hold on behalf of customers in connection with HMRC Making Tax Digital, we will additionally notify HMRC's Software Developer Support team at softwaredevelopersupport@service.hmrc.gov.uk in line with the breach-notification commitment in our Privacy Policy.