Security
Report a vulnerability
If you have found a security issue, please email us before disclosing it publicly. We handle all reports confidentially.
Contact: [email protected]
What we promise
- First response within 72 hours of receipt.
- 90-day coordinated disclosure window — we will work with you before any public release.
- We will acknowledge your contribution in our hall of fame, unless you prefer to remain anonymous.
Scope
The following are in scope:
- whatdoiowe.cy and all subdomains (*.whatdoiowe.cy)
- Our own authentication system (self-hosted — not a third-party identity provider)
- The scraper worker running on our own VPS
Out of scope
The following are outside the scope of this program. Please do not test or report them:
- Denial-of-service attacks (DDoS or application-layer)
- Social engineering of our team or users
- Third-party services we rely on but do not control: Supabase, Stripe, Vercel, Upstash, Resend, Sentry, Better Stack, Plausible
Hall of fame
Researchers will be acknowledged here once we have our first report.