Responsible disclosure
If you've found a security issue, email security@aldrickb.com with details. Please don't open a public GitHub issue.
We'll acknowledge within 72 hours. Bug bounties aren't formalized yet, but we're happy to credit researchers in the changelog and hand-write a thank-you.
Scope
In scope:
- Authentication and authorization issues (RLS escapes, JWT validation, account takeover).
- Sandbox escape from a worker container.
- File handling (path traversal, MIME confusion, archive bombs).
- Server-side request forgery.
Out of scope:
- Findings that require a privileged user account to exploit your own data.
- Rate-limit edge cases.
- Self-XSS.