Coordinated Disclosure

Report a vulnerability

We follow the disclose.io core terms. If you find a security issue affecting VC Deal Flow Signal in good faith and follow this policy, we will not pursue legal action.

Quick path

Email signal@gitdealflow.com with subject prefix "[security]".
Include: brief title, scope (URL/host), reproduction steps, impact, and your handle for attribution if you want to be listed.
We acknowledge within 72 hours and triage within 5 business days.

Safe harbor

We will not initiate legal action against researchers who in good faith follow this policy: do not access more data than necessary, avoid degrading service for other users, do not modify or destroy data, and give us reasonable time to respond before public disclosure (90 days, coordinated).

In scope

https://signals.gitdealflow.com (apex + all subpaths)
https://gitdealflow.com (apex + all subpaths)
https://gitdealflow-pb.fly.dev (PocketBase backend)
@gitdealflow/mcp-signal (npm package)
The Chrome extension at hehkgipiamajnnlpkfhpeoeaoaogmknn

Out of scope

Subprocessor systems (Stripe, Vercel, Resend, etc.) — please report via their own programs
Editorial findings on /content/* SEO copy
Self-XSS and clickjacking on pages without sensitive actions
Issues that require physical access or social engineering
Rate-limit-only issues without a security impact
Reports from automated scanners without manual validation
Best-practice nits on missing security headers for static asset paths

High-priority categories

Auth / authz bypass on /api/account/* or share-token endpoints
SSRF via image proxies
Stored XSS executable in an authenticated context
Remote code execution / command injection
Information disclosure of subscriber PII or Stripe metadata
IDOR on share-token / receipts surfaces
Subdomain takeover affecting any in-scope hostname

Reward

Pre-revenue solo operation. We can't yet pay cash bounties, but for valid reports we offer:

Attribution on the public hall-of-fame at /security/hall-of-fame (or anonymous, your choice)
A free Sharp Tier subscription for the year following responsible disclosure
A personal thank-you note from the founder

Response SLAs

Acknowledgement: within 72 hours
Triage decision: within 5 business days
Median fix time: 14 business days for high/critical
Public coordinated disclosure: 90 days from initial report

Out of scope

Subprocessor systems (Stripe, Vercel, Resend, etc.) — please report via their own programs

Editorial findings on /content/* SEO copy

Self-XSS and clickjacking on pages without sensitive actions

Issues that require physical access or social engineering

Rate-limit-only issues without a security impact

Reports from automated scanners without manual validation

Best-practice nits on missing security headers for static asset paths

High-priority categories

Auth / authz bypass on /api/account/* or share-token endpoints

SSRF via image proxies

Stored XSS executable in an authenticated context

Remote code execution / command injection

Information disclosure of subscriber PII or Stripe metadata

IDOR on share-token / receipts surfaces

Subdomain takeover affecting any in-scope hostname

Reward

Pre-revenue solo operation. We can't yet pay cash bounties, but for valid reports we offer:

Attribution on the public hall-of-fame at /security/hall-of-fame (or anonymous, your choice)

A free Sharp Tier subscription for the year following responsible disclosure

A personal thank-you note from the founder