/ security / bounty
responsible disclosure
tl;dr — we welcome coordinated disclosure from security researchers. this page is our lightweight vulnerability disclosure policy (no paid bounty in v1). report issues to security@whitelabel.dev; we target a first response within 48 hours and resolution within about 30 days where feasible. testing production with your own account is fine; denial-of-service and other out-of-scope activity is not.
/01 scope
in scope
- whitelabel.dev — the apex site and subpaths we operate on that domain
- browser extension — current releases from official stores (chrome, edge, firefox, safari)
- backend services — production APIs and infrastructure the site or extension depends on, when operated by us
production testing with your own account is allowed when it stays within this policy: use an account you control, avoid impacting other users or data you do not own, and stop if you see harm spreading beyond your session.
out of scope
- denial-of-service (DOS / DDOS), volumetric flooding, or resource exhaustion attacks against production
- social engineering, physical security, or issues that require a victim to run attacker-supplied code with no clearer product bug (e.g. self-xss via devtools)
- third-party services (report to the vendor); missing headers without a working exploit; spam or content complaints
- accessing, modifying, or exfiltrating other people's data without authorization
/02 how to report
email security@whitelabel.dev with a clear description, affected component or URL, steps to reproduce, and optional encrypted attachments if needed.
OpenPGP: you may encrypt to our key for security@whitelabel.dev. the fingerprint is published with the public key on common keyservers; if you cannot find it, send a short note and we will reply with the current fingerprint and ascii-armored key.
machine-readable contact: /.well-known/security.txt (rfc 9116).
/03 safe harbor
when you act in good faith under this policy — no extortion, no privacy violations beyond demonstrating the issue, no destructive testing, and reasonable coordination on disclosure timelines — we will not pursue or support legal action against you solely for that research. we may still protect our users and systems if activity falls outside this policy or the law.
/04 what to expect from us
- 48 hours — acknowledgement that we received your report (business days; sooner when we can).
- 30 days — target to remediate or ship a meaningful mitigation and agree on disclosure; complex issues may need longer — we'll keep you updated.
we do not operate a paid bounty program in v1. eligible reports may be recognized in a hall of fame (name or handle you provide) after fix or agreed disclosure, if you want public credit.
/05 fuller policy
for supported versions, ai-specific notes, and additional detail, see our main security & disclosure page.