Security policy

Email jj@watchkeeper.me with the subject line SECURITY: followed by a one-line summary. Include a description of the issue, reproduction steps, the affected URL or endpoint, and any proof-of-concept code or screenshots.

We are a small team. Encrypted reports are welcome but not required. There is no bug bounty program. We will acknowledge every legitimate report and credit researchers who want public recognition.

• Acknowledge your report within 3 business days.
• Give you a status update within 10 business days, including a preliminary severity assessment.
• Fix critical and high-severity issues as quickly as we reasonably can. Lower- severity issues land on the regular roadmap.
• Notify affected users in line with our privacy policy when a vulnerability resulted in unauthorised access to personal data.
• Not take legal action against researchers who follow this policy in good faith.

Good-faith security research, conducted in line with this policy, is authorised. We will not pursue civil action or refer reports to law enforcement for activity that stays within the scope below and follows responsible-disclosure norms.

• watchkeeper.me marketing site
• app.watchkeeper.me production application
• mail.watchkeeper.me transactional mail domain
• The Watchkeeper PWA service worker and offline outbox behavior
• API endpoints exposed from either site

• Reports generated solely by automated scanners with no manual verification or impact statement.
• Findings from physical testing, social engineering of Watchkeeper staff, or phishing of users.
• Denial-of-service, traffic flooding, or brute-force attacks. Please do not test these against production.
• Issues in third-party services we depend on (Supabase, Vercel, Cloudflare, Resend, Stripe, Anthropic, OpenAI, Sentry, Inngest, Twilio). Report those to the provider directly.
• Missing best-practice security headers on assets that do not host sensitive content, unless you can demonstrate an exploit.
• Email spoofing reports based on the absence of strict DMARC enforcement.

• Do not exfiltrate, modify, or destroy data belonging to anyone other than yourself.
• Use a test account you control. If you must access another user’s data to demonstrate impact, stop as soon as the issue is confirmed and tell us.
• Give us a reasonable window to remediate before public disclosure. 90 days is the default; we will negotiate shorter or longer in unusual cases.
• Do not run tests that degrade service for legitimate users.

The machine-readable version of this policy lives at /.well-known/security.txt per RFC 9116.