Security & Vulnerability Disclosure

1. How to report

Email security@testedroutes.com with a description of the issue and step-by-step reproduction instructions. Where possible, include affected URLs, screenshots, and any relevant payload or request data. We will acknowledge your report within two business days.

2. Responsible disclosure

While we work on a fix, we ask that you:

• •do not publicly disclose the issue until we have had a reasonable opportunity to address it (typically 90 days);
• •do not exploit the vulnerability beyond what is necessary to prove its existence;
• •do not access, modify, or destroy data belonging to other users;
• •do not perform automated, destructive, or denial-of-service testing against our infrastructure.

3. Safe harbour

Where research is conducted in line with this policy, we consider it authorised. We will not pursue legal action against you for accessing our systems in good faith for the purpose of identifying and reporting a security issue.

4. Rewards

We do not run a paid bug-bounty programme by default. For genuinely serious findings (e.g. authentication bypass, data exposure, payment manipulation) we may, at our discretion, offer a reward or recognition for responsible disclosure. We will discuss any reward on a case-by-case basis.

5. Out of scope

The following are generally not considered security vulnerabilities for the purposes of this policy:

• •issues in third-party services we use (Vercel, Sanity, Polar, Beehiiv, PostHog, Sentry) – please report those directly to the provider;
• •missing security headers without a demonstrated impact;
• •email-spoofing reports based solely on missing or partial DMARC / SPF records (we are tightening these on an ongoing basis);
• •theoretical issues without a working proof of concept.