Security

Security & responsible disclosure

We take the security of your resume content, AI conversations, and account credentials seriously. If you've found a vulnerability, we want to hear about it.

Reporting a vulnerability

Email [email protected] with:

  • A clear description of the issue and its impact
  • Steps to reproduce (or proof-of-concept)
  • Your name + handle (if you'd like credit)
  • Whether you've disclosed this anywhere else

We acknowledge reports within 2 business days and target a fix within 30 days for high-severity issues. We'll keep you updated and credit you publicly when the fix ships (with your permission).

What's in scope

  • Authentication and authorisation flaws (RLS bypass, JWT handling, session fixation)
  • Injection (SQL, command, path traversal, prototype pollution)
  • SSRF, XXE, insecure deserialization
  • Sensitive data exposure (PII, AI conversation history, Stripe refs, photo URLs)
  • Cross-tenant data leakage (one user's data leaking into another's view)
  • Account takeover via phishing-of-platform, credential leaks, or recovery flow flaws
  • Cross-site scripting (XSS), CSRF, clickjacking on authenticated pages
  • Rate-limit or quota bypass that meaningfully impacts costs/availability

Out of scope

  • Spam, phishing, or other abuse using offersly.app as a domain (report to [email protected])
  • Best-practice nitpicks without demonstrable impact (e.g. "you don't set X-DNS-Prefetch-Control")
  • Volumetric / DDoS attacks
  • Findings against sub-processors (Supabase, Anthropic, OpenAI, Stripe, Cloudflare) — report directly to them
  • Automated scanner output without manual triage / impact assessment

Rules of engagement

We don't have a paid bug bounty (yet), but we acknowledge contributors publicly. Please:

  • Do test only against accounts you own
  • Do stop and report immediately if you access another user's data accidentally
  • Don't exfiltrate, modify, or destroy data that isn't yours
  • Don't run automated scanners that generate load on shared infrastructure
  • Don't publicly disclose before we've acknowledged + shipped a fix (or 90 days have passed without a response, whichever comes first)

Acting in good faith under these rules: we won't pursue legal action and will work with you to coordinate disclosure.

Machine-readable

See /.well-known/security.txt for the RFC 9116 contact metadata.

Privacy / data protection inquiries

For data-protection questions (GDPR access requests, PDPA data access, deletion, portability), email [email protected] — or use the self-service flows in Settings & data.

Offersly

Premium resume builder for serious career moves. ATS-safe templates, AI tailoring, transparent pricing.

🛡️ One free basic resume, forever. Cancel any subscription in 1 click. No surprise auto-renewals.

© 2026 Offersly. All rights reserved.

Offersly is an independent product. Template names that reference well-known institutions or companies (Harvard, Goldman, Amazon, McKinsey, LinkedIn) describe the style aesthetic only and do not imply any affiliation or endorsement.