Security
Security matters. If you discover a vulnerability in PrivateStater, please disclose it responsibly.
Translation notice
Some machine translations (e.g., Google Translate, Papago) have been reported to mistranslate parts of this page. For the most accurate information, refer to the original English text.
Reporting a Vulnerability
If you believe you've found a security vulnerability, report it via email. I'll work with you to understand and fix it.
Email:
hello@privatestater.comResponse Timeline
I aim to acknowledge your report within 48 hours. I'll keep you updated and let you know when it's fixed.
What to Include
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected URL or component
- Your assessment of the potential impact
- Any proof-of-concept code (if applicable)
Scope
The following are in scope for security reports:
- PrivateStater (privatestater.com)
- Client-side script (privatestater.com/privatestater.js)
- Dashboard
- User authentication
- APIs
- Email system (*@privatestater.com)
Out of Scope
The following are not considered valid security reports:
- Denial of Service (DoS, DDoS) attacks
- Social engineering or phishing
- Physical attacks against PrivateStater's infrastructure
- Issues in third-party services I use
- Vulnerabilities requiring physical access to a user's device
- Reports from automated scanning tools without verification
Prohibited actions
Please avoid the actions below. If testing a vulnerability requires any of them, email me with details and I'll test it myself.
- Preventing other users from using the service normally
- Infringing on other users' information
- Causing server overload
Bug Bounty
PrivateStater is a solo project, so I can't offer monetary rewards right now. If you'd like recognition, I can credit you on the contributors list.
Safe Harbor
For vulnerability research conducted under this policy, PrivateStater considers that research to be:
- Authorized under applicable anti-hacking laws. PrivateStater will not initiate or support legal action against you for accidental, good-faith violations of this policy;
- Authorized under applicable anti-circumvention laws. PrivateStater will not bring a claim against you for circumvention of technology controls in the course of good-faith research;
- Exempt from PrivateStater's Terms of Service (TOS) and Acceptable Use Policy (AUP) to the extent they would interfere with good-faith security research under this policy; PrivateStater waives those restrictions on a limited basis; and
- Lawful, in the interest of Internet security more broadly, and conducted in good faith.
You must still comply with all applicable laws. If a third party initiates legal action against you and you have followed this policy, I will take reasonable steps to make it known that your actions were in line with this policy.
If you are unsure whether your research aligns with this policy, contact PrivateStater using the channel described under Reporting a Vulnerability before you go further.
This Safe Harbor applies only to legal positions PrivateStater can control. It does not bind independent third parties.