Skip to main content
toolglade.
Security

Security disclosure policy

We appreciate the security community's help in keeping our users safe. This page explains how to responsibly report a vulnerability and what to expect from us.

How to report

Email security@toolglade.com with:

  • A clear description of the vulnerability
  • Steps to reproduce
  • The affected URL, endpoint, or code path
  • Optional: your name or handle for credit (we won't publish anything without your permission)

The machine-readable version of our contact info is available at /.well-known/security.txt.

What to expect

  • Initial response within 7 days. Usually faster. If you don't hear from us, please follow up — your email may have been filtered.
  • An honest assessment. If we accept the report, we'll explain our plan. If we don't, we'll explain why (e.g. expected behavior, out of scope, already known).
  • Updates as we fix it. For critical issues, we typically resolve within 30 days.
  • Credit on request. For verified reports, we're happy to credit you publicly in the changelog or on this page.

What we ask of you

  • Don't access user data. If you can demonstrate an issue without it, please do.
  • Don't disrupt service. Avoid automated scanning, DDoS, or anything that affects other users.
  • Give us time to fix. Please don't publicly disclose until we've had a reasonable chance to patch (typically 90 days, less for trivial fixes, sometimes more for complex ones).
  • Don't extort. Demanding payment in exchange for disclosure is not coordinated disclosure — it's something else.

Scope

In scope: our production website, API, and infrastructure under the domains we operate.

Out of scope: third-party services we integrate with (Stripe, Resend, Cloudflare, Turso, Vercel, etc.). Please report those directly to the vendors. Social engineering, physical security, and issues in dependencies we don't control are also out of scope unless they specifically affect our deployment.

Bug bounty

We don't currently offer monetary bounties — we're a small operation. We do offer credit and our genuine thanks. If we ever launch a paid program, this page will be updated.

Safe harbor

We won't pursue legal action against researchers who:

  • Make a good-faith effort to follow this policy
  • Avoid violating user privacy or destroying data
  • Give us reasonable time to respond before public disclosure

If you're not sure whether your testing is in scope, email us first and ask.

Hall of fame

When we receive verified reports, we'll list contributors here (with their permission).