Security and vulnerability disclosure

Last updated:

Reports of security vulnerabilities in proof. are welcome. This policy explains what is in scope, how to report, what to expect in response, and the safe-harbour terms under which you may test.

Reporting

Send reports to security@proofcook.com. Include enough detail to reproduce the issue — affected URL or endpoint, steps, and impact. Encrypted reports are welcome; ask for a key if you need one.

Scope

In scope:

  • The proof. application and its API.
  • The marketing site at proofcook.com.
  • Authentication, session handling, and access-control flaws.
  • Data exposure across user accounts.

Out of scope:

  • Findings that require physical access to a user's device.
  • Social engineering of the maintainer or users.
  • Denial-of-service or volumetric testing.
  • Reports from automated scanners with no demonstrated, reproducible impact.
  • Issues in third-party platforms (such as Cloudflare or GitHub) — report those to the relevant provider.
  • Missing best-practice headers without a concrete exploit.

Response commitment

proof. is maintained by an individual, so timelines reflect best effort rather than a staffed rota:

  • A valid report is acknowledged within 72 hours.
  • The maintainer triages and aims to fix or provide a remediation plan within 30 days, depending on severity and complexity.
  • You will be kept updated on progress and told when the issue is resolved.

Safe harbour

If you make a good-faith effort to comply with this policy during your research, the maintainer will not pursue or support legal action against you, and your testing is considered authorised. Good faith means: stay within the scope above, do not access, modify, or delete data that is not your own, use only the minimum testing necessary to demonstrate a finding, do not degrade the service for others, and allow reasonable time to remediate before any public disclosure. If in doubt about whether an action is authorised, ask before proceeding.

No bounty

There is no monetary bug-bounty programme at this time. Responsible reports are appreciated, and you will be credited for a valid finding if you would like to be named.

Contact

Security reports: security@proofcook.com. Privacy questions: privacy@proofcook.com.