Security & vulnerability reporting

If you've found a security issue in FloorRadar, we want to hear about it. This page covers how to report and what we commit to in return.

How to report

Email support@floorradar.com with the subject line starting [security]. Include:

• What the issue is
• Steps to reproduce (or a working proof of concept)
• Your assessment of severity / impact
• Whether you've disclosed this anywhere else
• Whether you'd like credit for the report (optional)

You can also use the /.well-known/security.txt contact information per RFC 9116.

What we commit to

• Acknowledge within 2 business days. Real human reply, not auto-response.
• Assess severity within 5 business days. We'll tell you if it's critical, high, medium, or informational.
• Patch critical issues within 7 days. Lower-severity issues land on the next regular release cycle, usually within 30 days.
• Credit you publicly in the changelog if you want — opt-out is fine.
• No legal threats for good-faith research. If you're acting in good faith (no harm, no extortion, no public dumping), we won't sue you. Period.

Scope

In scope:

• floorradar.com and any subdomain we publish
• The mobile-web rendering of the same
• Auth flow, payment flow, data exposure / cross-tenant leakage

Out of scope:

• Third-party services we use (report directly to Supabase, Vercel, Stripe, Resend, etc.)
• Social engineering of our users
• Physical security issues
• Attacks requiring a compromised user account that the user provided to you

What we WON'T do

• Threaten you with the CFAA or similar laws for testing in good faith
• Ignore your report
• Dispute findings without explaining why
• Publish your details without your consent

Bug bounty?

Not currently. We're a small team and a paid bug-bounty program isn't budgeted yet. We can offer credit + a thank-you in the changelog. As we grow, we'll add a formal bounty program. The lack of bounty doesn't change our commitment to respond and fix.

Internal security tracker

We maintain a public-facing security posture overview in the project's roadmap. Specific findings (open vs. resolved) are tracked internally and addressed on the cadence above.

Contact

support@floorradar.com · subject [security]