Responsible disclosure
Last updated
If you believe you have found a security vulnerability in Hockystick, we want to hear about it — directly, before anyone else.
How to report
- 1Email [email protected] with a description of the issue, steps to reproduce, and the impact you believe it has.
- 2Include the URL, account context (a test account is fine), and any relevant request/response detail.
- 3If the issue exposes another user's data, stop at proof — do not enumerate further.
This contact is also published in machine-readable form at https://hockystick.app/.well-known/security.txt.
What we commit to
- Acknowledgement of your report within 48 hours.
- An honest assessment of severity and a timeline for the fix.
- Notification when the issue is resolved.
- No legal action against good-faith research conducted within this policy.
What we ask
- Give us reasonable time to fix the issue before public disclosure.
- Do not access, modify, or delete data belonging to real users.
- Do not run automated scanners that degrade service for others.
- Do not use social engineering, phishing, or physical attacks against our team or users.
Scope
In scope: hockystick.app and its subdomains, the API endpoints they call, and the authentication flows. Out of scope: third-party services we integrate with (Supabase, Cloudflare, Resend, HubSpot) — report issues in those platforms to their own programs — and denial-of-service findings.