Security

Security matters. If you discover a vulnerability in PrivateStater, please disclose it responsibly.

Reporting a Vulnerability

If you believe you've found a security vulnerability, report it via email. I'll work with you to understand and fix it.

Response Timeline

I aim to acknowledge your report within 48 hours. I'll keep you updated and let you know when it's fixed.

What to Include

Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Affected URL or component
• Your assessment of the potential impact
• Any proof-of-concept code (if applicable)

Scope

The following are in scope for security reports:

• PrivateStater (privatestater.com)
• PrivateStater ID (id.privatestater.com)
• Client-side script (privatestater.com/privatestater.js)
• Dashboard
• User authentication
• APIs
• Email system (*@privatestater.com and *@id.privatestater.com)

Out of Scope

The following are not considered valid security reports:

• Denial of Service (DoS, DDoS) attacks
• Social engineering or phishing
• Physical attacks against PrivateStater's infrastructure
• Issues in third-party services I use
• Vulnerabilities requiring physical access to a user's device
• Reports from automated scanning tools without verification

Prohibited actions

Please avoid the actions below. If testing a vulnerability requires any of them, email me with details and I'll test it myself.

• Preventing other users from using the service normally
• Infringing on other users' information
• Causing server overload

Bug Bounty

PrivateStater is a solo project, so I can't offer monetary rewards right now. If you'd like recognition, I can credit you on the contributors list.

Safe Harbor

I won't take legal action against security researchers who discover and report vulnerabilities in good faith while following these guidelines. Thanks for helping keep things safer.