Coordinated vulnerability disclosure

How to report

Email security@onwardsupwards.app. Include the affected URL or endpoint, reproduction steps, your assessment of impact, and any relevant logs or screenshots. If the issue concerns user data, do not include another user's data in your report — describe the access path instead.

Our machine-readable contact is published at /.well-known/security.txt per RFC 9116.

Response SLAs

• Acknowledgement within 3 business days.
• Initial triage and severity decision within 10 business days.
• Status updates at least every 14 days until resolution.
• Target remediation: critical within 7 days, high within 30 days, medium within 90 days, low at next scheduled release.

In scope

• onwardsupwards.app and all subdomains we operate.
• Authenticated and unauthenticated areas of the web app.
• Our public API routes under /api/public/*.
• Authentication, session, and account-recovery flows.
• RLS bypasses, IDOR, server-side request forgery, injection, and crypto failures.

Out of scope

• Denial-of-service, volumetric attacks, brute force without bypass.
• Findings that require physical access or a compromised device.
• Social engineering of staff or users.
• Vulnerabilities in upstream sub-processors (please report to them directly).
• Missing security headers without a demonstrated exploit.
• Reports from automated scanners without manual verification.

Safe harbour

We will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy.
• Avoid privacy violations, destruction of data, and interruption or degradation of service.
• Only interact with accounts they own or with explicit permission of the account holder.
• Give us reasonable time to remediate before public disclosure (typically 90 days from acknowledgement).

Acknowledgments

With consent, we credit researchers who report valid findings here. To request credit (or anonymity), say so in your report.