Security disclosure¶
This is the public version of our security policy. The full SECURITY.md in the source repo is the authoritative document.
How to report¶
Email [email protected] with subject prefix [SECURITY].
Please don't open a public GitHub issue, post on social media, or publish details before we've fixed the issue and agreed a coordinated-disclosure date with you.
If you need encrypted disclosure, email the address above to request a PGP key — we'll issue one on demand. We don't currently publish a key by default.
What to include¶
A reproducible report. Minimum:
- Affected component (URL, API endpoint, CLI command).
- Steps to reproduce — exact requests / payloads / sequence of actions.
- Impact — what an attacker could do. Honest theoretical impact is fine; you don't need a polished exploit.
- Your environment (browser + OS for UI; client + library for API).
- How you'd like to be credited, if at all.
What to expect¶
| Stage | Timeline |
|---|---|
| Acknowledge receipt | Within 5 business days |
| Initial triage | Within 14 calendar days |
| Fix / mitigation | Critical: as fast as we can verify. Medium: next release. Low: routine. |
| Coordinated disclosure | 90 days by default, longer if needed for fix complexity |
These are realistic timelines for a small team, not aspirational SLAs. If you don't hear from us within the acknowledge-receipt window, please nudge us — that's a bug on our side.
Scope¶
In scope: the portal (app.cred-watch.com), docs site, our public GitHub repo, authentication / session / MFA flows, tenant isolation, encryption of stored credentials, email integrations (SMTP delivery, webhook signatures, the bounce-webhook handler).
Out of scope: volumetric DoS, third-party services we depend on (report directly to them), social engineering, physical attacks on the hosting provider, issues that require an attacker to already control the victim's email/device, self-XSS, missing security headers on endpoints that don't return user data.
If you're not sure whether something is in scope, send the report anyway — we'll classify it.
Safe harbor¶
We commit to not pursuing legal action against good-faith security research that follows this policy. We expect, in return, that you stop testing once you've confirmed the issue, don't access data beyond what's needed for proof, and don't publicly disclose before the agreed date.
The full safe-harbor clause is in
SECURITY.md.
Bug bounty¶
We don't currently run a paid bug bounty. We offer:
- Public credit (with your permission) on this docs site.
- A swag/discount-code gesture for impactful reports.
A paid program is on the longer-term roadmap.
Last reviewed: 2026-05-22.