Security

If you've found a security issue, please email [email protected] rather than filing a public report. I'll respond within 72 hours and credit you (with permission) once the issue is resolved.

In scope

• Account takeover or authentication bypass.
• Privilege escalation (a regular user gaining moderator/admin access).
• Reading another user's private messages or unpublished content.
• Leaked PII or session tokens.
• SQL injection, stored XSS, CSRF on sensitive actions, or any vulnerability in the Supabase Row-Level Security policies.
• Vote or cred manipulation that bypasses the per-user, one-vote-per-target enforcement.

Out of scope

• Spam or low-effort content posted by ordinary users (use moderation, not security disclosure).
• Self-XSS, clickjacking on pages without sensitive actions, or attacks requiring physical access to a victim's device.
• Social engineering of users or staff.
• Denial-of-service or volumetric attacks.

Please don't

• Test against live user accounts other than your own.
• Run automated scanners that generate significant traffic.
• Publish details of an unfixed vulnerability before we've had a chance to patch it.

No bounty program at this stage. We're a small project and appreciate responsible disclosure regardless.