Responsible disclosure

Last updated

If you believe you have found a security vulnerability in Hockystick, we want to hear about it — directly, before anyone else.

How to report

  1. 1Email [email protected] with a description of the issue, steps to reproduce, and the impact you believe it has.
  2. 2Include the URL, account context (a test account is fine), and any relevant request/response detail.
  3. 3If the issue exposes another user's data, stop at proof — do not enumerate further.

This contact is also published in machine-readable form at https://hockystick.app/.well-known/security.txt.

What we commit to

  • Acknowledgement of your report within 48 hours.
  • An honest assessment of severity and a timeline for the fix.
  • Notification when the issue is resolved.
  • No legal action against good-faith research conducted within this policy.

What we ask

  • Give us reasonable time to fix the issue before public disclosure.
  • Do not access, modify, or delete data belonging to real users.
  • Do not run automated scanners that degrade service for others.
  • Do not use social engineering, phishing, or physical attacks against our team or users.

Scope

In scope: hockystick.app and its subdomains, the API endpoints they call, and the authentication flows. Out of scope: third-party services we integrate with (Supabase, Cloudflare, Resend, HubSpot) — report issues in those platforms to their own programs — and denial-of-service findings.