Security
Security & responsible disclosure
We take the security of your resume content, AI conversations, and account credentials seriously. If you've found a vulnerability, we want to hear about it.
Reporting a vulnerability
Email [email protected] with:
- A clear description of the issue and its impact
- Steps to reproduce (or proof-of-concept)
- Your name + handle (if you'd like credit)
- Whether you've disclosed this anywhere else
We acknowledge reports within 2 business days and target a fix within 30 days for high-severity issues. We'll keep you updated and credit you publicly when the fix ships (with your permission).
What's in scope
- Authentication and authorisation flaws (RLS bypass, JWT handling, session fixation)
- Injection (SQL, command, path traversal, prototype pollution)
- SSRF, XXE, insecure deserialization
- Sensitive data exposure (PII, AI conversation history, Stripe refs, photo URLs)
- Cross-tenant data leakage (one user's data leaking into another's view)
- Account takeover via phishing-of-platform, credential leaks, or recovery flow flaws
- Cross-site scripting (XSS), CSRF, clickjacking on authenticated pages
- Rate-limit or quota bypass that meaningfully impacts costs/availability
Out of scope
- Spam, phishing, or other abuse using
offersly.appas a domain (report to [email protected]) - Best-practice nitpicks without demonstrable impact (e.g. "you don't set X-DNS-Prefetch-Control")
- Volumetric / DDoS attacks
- Findings against sub-processors (Supabase, Anthropic, OpenAI, Stripe, Cloudflare) — report directly to them
- Automated scanner output without manual triage / impact assessment
Rules of engagement
We don't have a paid bug bounty (yet), but we acknowledge contributors publicly. Please:
- Do test only against accounts you own
- Do stop and report immediately if you access another user's data accidentally
- Don't exfiltrate, modify, or destroy data that isn't yours
- Don't run automated scanners that generate load on shared infrastructure
- Don't publicly disclose before we've acknowledged + shipped a fix (or 90 days have passed without a response, whichever comes first)
Acting in good faith under these rules: we won't pursue legal action and will work with you to coordinate disclosure.
Machine-readable
See /.well-known/security.txt for the RFC 9116 contact metadata.
Privacy / data protection inquiries
For data-protection questions (GDPR access requests, PDPA data access, deletion, portability), email [email protected] — or use the self-service flows in Settings & data.