DLTD
SECURITY DISCLOSURE

Found something?

We’d rather hear it from you than read it in a writeup. Tell us.

Contact

Email security@dltd.app with reproduction steps, affected URL(s), and your name (so we can credit you).

PGP key publishing pending — reach out and we’ll mint a key for encrypted disclosure if you need one.

Our SLA

  • Acknowledge: within 24 hours, in any timezone.
  • Critical (RCE, auth bypass, mass data exposure): patched within 7 days.
  • High (CSRF on sensitive action, info disclosure): patched within 14 days.
  • Medium (rate-limit bypass, account enumeration, missing headers): patched within 30 days.
  • Low / informational: triaged; may stay on the roadmap.

In scope

  • Anything under /api/*
  • Authentication, session, cookie issues
  • Authorization bypass against another user’s data (broker scans, breach records, AI audit findings, inbox findings, family memberships)
  • Information disclosure of PII, broker data, audit logs
  • CSRF / SSRF / open redirect / cache poisoning
  • Anything that breaks our published privacy claims at /privacy or our security commitments at /trust
  • SSO + SCIM flows for Business tier customers
  • Stripe webhook + checkout integrity

Out of scope

  • Missing security headers on /_next/static/* (Next.js controls these)
  • Account enumeration via the password-reset flow (Supabase-managed)
  • Rate limiting on public marketing pages
  • Stripe checkout iframe behavior (handled by Stripe)
  • Dependency vulnerabilities without a working reproduction
  • Click-jacking against authenticated areas (already protected via frame-ancestors ‘none’)
  • Social-engineering reports against DLTD staff

What you get

Credit. Public hall of fame entry under your handle on our Trust Center once the fix ships.

Swag. Severity-rated DLTD merch sent anywhere on Earth for confirmed reports.

Paid bounty: not yet — we’re a small team, and a half-funded bounty program is worse than none. We’ll commit to one publicly when we can sustain it.

Safe-harbor

Good-faith research within the scope above does not violate our terms. We will not pursue legal action against researchers who:

  • Do not access another user’s data beyond the minimum needed to demonstrate the vulnerability
  • Do not degrade service for other users (no DoS testing)
  • Do not socially engineer DLTD staff
  • Give us reasonable disclosure time (default 90 days, faster if we agree)

The boring details

security.txt: /.well-known/security.txt
Policy: /trust
Privacy: /privacy
Sub-processors: /business/subprocessors