Responsible disclosure

We appreciate researchers and customers who report security issues responsibly. Please do not test against other customers' projects or attempt destructive actions on production data.

What to report

• Authentication or authorization bypasses
• Ingest or API issues that expose other tenants' data
• Stored XSS or injection in the dashboard
• Secrets exposed in client bundles or public endpoints

Out of scope

• Social engineering, physical access, or denial-of-service tests
• Issues in third-party services (Clerk, Convex, Vercel) — report to them directly
• Missing security headers without demonstrated impact

How to submit

Email marvin.kiefer@swisswebdev.ch with:

• A clear description and reproduction steps
• Impact assessment (confidentiality, integrity, availability)
• Optional proof-of-concept — avoid exfiltrating real customer logs

Our commitment

We aim to acknowledge reports within five business days and provide a remediation timeline when valid. We do not currently offer a paid bug bounty program; we may recognize significant findings at our discretion.

See also our trust center and privacy policy.