We take the security of our users' data very seriously. Learn how to responsibly report vulnerabilities and help us improve.
Scope
Accepted vulnerabilities:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
SQL Injection and other injection attacks
Authentication and authorization flaws
Sensitive data exposure
Insecure configurations
Business logic vulnerabilities
Out of scope:
Social engineering attacks
Physical attacks
Denial of Service (DoS/DDoS)
Vulnerabilities in third-party services
Spam or phishing
Severity Classification
We use the CVSS standard to classify vulnerabilities:
Critical (9.0 - 10.0)
High (7.0 - 8.9)
Medium (4.0 - 6.9)
Low (0.1 - 3.9)
How to Report
When reporting a vulnerability, please include:
Detailed description of the vulnerability
Steps to reproduce the issue
Potential impact assessment
Suggested fix (if available)
Screenshots or proof-of-concept (optional)
Response Process
1
Confirmation
We acknowledge receipt within 48 hours
2
Analysis
We evaluate the vulnerability within 7 business days
3
Fix
We develop and test the fix according to severity
4
Notification
We notify you when the fix is deployed
Recognition
As an early-stage startup, we currently don't have a budget for a Bug Bounty program with financial rewards. However, we sincerely want to, in the future, have the resources to properly support security researchers.
Currently we offer:
Public recognition in our Hall of Fame
Special acknowledgment for significant findings
Rules of Engagement
Do not access data belonging to other users
Do not delete or modify data
Avoid testing in production when possible
Maintain confidentiality until the fix is deployed
Do not exploit vulnerabilities beyond proof-of-concept
We value your privacy
We use cookies to enhance your experience. By clicking "Accept", you consent to our Privacy Policy.