Vulnerability Disclosure Policy

Endorsr takes the security of our platform and user data seriously. We welcome input from security researchers and the wider community. If you believe you have found a security vulnerability, we encourage you to report it to us responsibly.

This policy applies to all systems operated by Endorsr (endorsr.co), including web applications, APIs, edge functions, and supporting infrastructure. It does not apply to third-party services we use (Supabase, Stripe, Cloudflare, etc.) — those should be reported directly to the relevant provider.

Please report vulnerabilities via email to [email protected]. Provide as much detail as possible, including:

• The affected system or URL
• A description of the vulnerability and potential impact
• Steps to reproduce (including proof of concept where possible)
• Your contact information (optional, but helpful for follow-up)

If you act in good faith and comply with this policy, Endorsr commits to:

• Not pursuing legal action against you for your research
• Working with you to understand and validate the reported issue
• Giving appropriate credit for validated disclosures (if desired)
• Not referring your activity to law enforcement for research conducted under this policy

When conducting security research:

• Do not access, modify, or delete data you do not own
• Do not disrupt, degrade, or deny service to other users
• Do not use social engineering, phishing, or physical attacks
• Do not publicly disclose the vulnerability before we have addressed it
• Stop testing and report immediately if you accidentally access user data

The following are out of scope: rate limiting, missing HTTP headers (without demonstrated impact), self-XSS, clickjacking on non-sensitive pages, and theoretical vulnerabilities without a practical exploit path.

We maintain a hall of fame for researchers who report valid vulnerabilities. If you would like to be credited, please indicate this in your report. We do not currently operate a bug bounty programme.