Skip to main content

Security

Report a vulnerability

If you have found a security issue, please email us before disclosing it publicly. We handle all reports confidentially.

Contact: [email protected]

What we promise

  • First response within 72 hours of receipt.
  • 90-day coordinated disclosure window — we will work with you before any public release.
  • We will acknowledge your contribution in our hall of fame, unless you prefer to remain anonymous.

Scope

The following are in scope:

  • whatdoiowe.cy and all subdomains (*.whatdoiowe.cy)
  • Our own authentication system (self-hosted — not a third-party identity provider)
  • The scraper worker running on our own VPS

Out of scope

The following are outside the scope of this program. Please do not test or report them:

  • Denial-of-service attacks (DDoS or application-layer)
  • Social engineering of our team or users
  • Third-party services we rely on but do not control: Supabase, Stripe, Vercel, Upstash, Resend, Sentry, Better Stack, Plausible

Hall of fame

Researchers will be acknowledged here once we have our first report.