Responsible Disclosure

How to report

Email us at security@builderscroll.com. Please include enough detail to reproduce the issue: affected URL or endpoint, steps to reproduce, the impact you observed, and any proof-of-concept material. Encrypted reports are welcome — ask us for a key over the same channel.

Our machine-readable contact lives at /.well-known/security.txt.

What to expect

• Within 72 hours — an acknowledgement that we’ve received your report.
• Within 7 days — an initial triage and a view of severity, scope, and likely fix path.
• Within 90 days — remediation of valid reports, or a written explanation if more time is required.
• After remediation — with your consent, you’ll be credited on our acknowledgments page.

Scope

In scope: builderscroll.com, the production application, our public APIs, and our authentication flows.

Out of scope: third-party services we depend on (Supabase, Resend, Vercel, PostHog, Termly), denial-of-service or volumetric testing, social engineering of our team or users, physical security, and findings derived solely from automated scanners without a working proof-of-concept.

Safe-harbour

If you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you. Please: avoid privacy violations, data destruction, or interruption of service; only interact with accounts you own or have explicit permission to test; and give us reasonable time to remediate before any public disclosure.

Bounty

We do not currently run a paid bug-bounty programme. We do publicly credit researchers who report responsibly and may offer swag for high-impact findings. We’re a small team and we’re very grateful for your help.