Responsible Disclosure

Our commitment

Security is the whole point of VibeSafely, so we hold our own service to the same standard. If you've found a vulnerability in VibeSafely, we want to hear about it. We won't pursue legal action against researchers who follow this policy in good faith.

How to report

Email hello@vibesafely.com with the subject "Security report". Include enough detail for us to reproduce the issue:

• A clear description of the vulnerability and its potential impact.
• Step-by-step reproduction instructions, including affected URLs or endpoints.
• Any proof-of-concept, request/response samples or screenshots (please keep them minimal).
• How we can reach you for follow-up.

Please do

• Give us a reasonable time to investigate and fix the issue before any public disclosure.
• Use only your own test accounts and data while researching.
• Stop and report immediately if you encounter personal data belonging to others.

Please do not

• Access, modify or delete data that is not yours, or degrade the service for other users.
• Run denial-of-service, spam or social-engineering attacks against us, our staff or our users.
• Publicly disclose the issue before we have had a chance to remediate it.
• Use the finding for any purpose other than reporting it to us.

What to expect from us

• We aim to acknowledge your report within a few business days.
• We will keep you updated as we triage and fix the issue, and let you know when it is resolved.
• With your permission, we are happy to credit you once the fix has shipped.

Scope

This policy covers vibesafely.com and the VibeSafely application and API. It does not cover the third-party sites you scan, or services we depend on but do not operate (for those, please report to the relevant provider). We do not currently run a paid bug-bounty program, but we genuinely appreciate responsible reports.