gasguide
Start free

/security/disclosure

Vulnerability disclosure

We take security seriously. If you discover a vulnerability in gasguide.app, please report it to us privately so we can investigate and fix it before details are made public.

How to report

  • Email security@gasguide.app with reproduction steps, impact assessment, and any PoC.
  • For sensitive reports, request our PGP key by replying to the acknowledgment email — we'll send it inline.
  • Machine-readable contact: /.well-known/security.txt (RFC 9116).

What we promise

  • Acknowledge your report within 24 hours.
  • Provide a triage decision (in-scope / out-of-scope / duplicate) within 3 business days.
  • Fix critical issues within 7 days, high within 30 days, medium within 90 days.
  • Credit you publicly in the acknowledgments below (with your consent) once the issue is fixed.
  • Never pursue legal action against researchers acting in good faith within the scope of this policy.

What we ask of you

  • Do not access, modify, or delete data that does not belong to you.
  • Do not run automated scanners that generate significant traffic.
  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
  • Give us a reasonable window to fix the issue before public disclosure.
  • If you accidentally access another user's data during testing, stop immediately and report it with the data redacted from any PoC.

In scope

  • https://gasguide.app + any subdomain (e.g. voice.gasguide.app)
  • gasguide.app mobile/web app source delivered from our origins
  • Server-side bugs in our APIs, authentication, billing, or share-link flow
  • Cross-tenant data leakage, RLS bypass, privilege escalation
  • Stored / reflected / DOM XSS, SSRF, IDOR, SQL injection, auth-flow bypass

Out of scope

  • Findings from automated scanners that we can't reproduce manually
  • Volumetric DoS / DDoS (CF handles; report via Cloudflare abuse channels)
  • Social engineering of staff or users
  • Physical attacks on infrastructure
  • Self-XSS, missing security headers without demonstrated impact
  • Email spoofing on domains without SPF/DKIM (we publish both)
  • Issues in third-party services (Supabase, Stripe, Resend) — report to them directly

Rewards

We do not yet operate a formal monetary bug-bounty program. We do offer public credit, gasguide.app swag, and may negotiate a goodwill payment for critical findings on a case-by-case basis.

Acknowledgments

No external researchers yet. We'll list everyone who has responsibly disclosed a verified vulnerability here.

Last updated: . See also our security overview and trust portal.