In scope

  • https://app.wouterg.nl
  • This GitHub repository.
  • Authentication, tenant isolation and operator-only cockpit flows.
  • Report and policy generation routes, including human-review safeguards.

Out of scope

  • Denial-of-service, load testing or other tests that could disrupt production.
  • Social engineering, phishing, physical attacks or attacks against third parties.
  • Spam, scraping, destructive testing or modification/deletion of data.
  • Access to or exfiltration of customer data beyond the minimum safe proof.
  • Scanner output without practically demonstrable impact.

What should your report include?

  • Vulnerability type and expected impact.
  • Affected URL, route, API endpoint, file or commit.
  • Clear reproduction steps and a safe proof of concept where possible.
  • Whether any data was viewed, and if so: only minimal context, without sending customer data.
  • Your preferred contact details and any preference for attribution.

Research rules

Act in good faith, stop once the vulnerability is confirmed, avoid privacy impact and keep details confidential until remediation and any disclosure have been coordinated. There is currently no paid bug bounty program.

Safe-harbor intent

If you follow this policy and act in good faith, our intent is not to take legal action because of the described research. This is not legal advice and does not bind third parties.