Responsible DisclosureReport a Vulnerability
Responsible disclosure policy — last updated May 2026
Our commitment to you
- ✓48 hours — Initial acknowledgement of your report
- ✓Good faith — No legal action against responsible researchers
- ✓Confidential — Your report will be treated with discretion
- ✓Credit — We will credit you (if you wish) after resolution
How to Report
Send your report to:
Subject: [SECURITY] Brief description
What to Include
- →A clear description of the vulnerability
- →Steps to reproduce (proof of concept)
- →The potential impact — what could an attacker do?
- →Which URL, endpoint, or component is affected
- →Your name/handle for credit (optional)
In Scope ✓
- ✓Authentication bypass or session hijacking
- ✓SQL injection or database access
- ✓Cross-site scripting (XSS) with real impact
- ✓Cross-site request forgery (CSRF)
- ✓Sensitive data exposure (PII, credentials)
- ✓Server-side request forgery (SSRF)
- ✓Broken access control (accessing other users' data)
- ✓Stripe payment flow manipulation
Out of Scope ✗
- ✗Denial of service (DoS/DDoS) attacks
- ✗Brute force attacks on login
- ✗Social engineering or phishing
- ✗Vulnerabilities in third-party libraries
- ✗Issues requiring physical access to a device
- ✗Self-XSS (only affects the attacker)
- ✗Missing HTTP headers without demonstrated impact
- ✗Outdated software without a working proof of concept
Response Timeline
48h
Initial acknowledgement
Safe Harbor
Workruno considers security research conducted under this policy to be authorized. We will not pursue civil or criminal action against researchers who discover vulnerabilities in good faith, avoid accessing or modifying user data beyond what is needed to demonstrate the issue, do not exploit the vulnerability for personal gain, and report to us before public disclosure. CVD best practices.
© 2026 Workruno-app. All rights reserved.