RESPONSIBLE DISCLOSURE

Found a vulnerability? Thank you.

We'd rather you find the issues before someone else does. Here's our policy, channels, and commitment.

Reporting Channel

Send a detailed description, reproduction steps, and screenshots if relevant. Your message is encrypted.

✅ Safe Harbor: We will not take legal action against security researchers acting in good faith and in accordance with this policy.

✅ No Retaliation: We will never block or penalize a researcher who reports responsibly.

✅ Coordination: We request 90 days for remediation before public disclosure.

❌ Don't: Don't access other users' data. Don't disrupt services. Don't run automated scans without coordination.

24h

Initial acknowledgment

72h

Severity assessment and assignment to technical team

7 days

First status update

30 days

Fix for Critical/High vulnerabilities

90 days

Fix for Medium/Low vulnerabilities

Post-fix

Publication in Security Changelog (with reporter consent)

We're an early-stage startup - no monetary rewards yet. But we commit to:

Critical

RCE, auth bypass, data exfiltration, encryption break

Hall of Fame + public credit + career assistance

High

XSS, CSRF, privilege escalation, PII leak

Hall of Fame + public credit

Medium

Information disclosure, rate limit bypass, IDOR

Hall of Fame

Low

Missing headers, verbose errors, minor misconfig

Internal acknowledgment

Still empty - be the first. Report responsibly and earn your place here.