RFC 9116 · Safe harbor · 48h response
Report a vulnerability
We take security seriously. If you believe you've found a vulnerability in AskBaily's services or data, please disclose it through the coordinated process below. Good-faith research is authorized under our safe harbor.
Scope
In scope
- askbaily.com + all subdomains
- /api/* Cloudflare Pages Functions
- /data/* public JSON endpoints
- /feed/* regulatory feeds
- /facts/* comparison fact sheets
- /.well-known/* (MCP, security.txt)
- chat.askbaily.com SSE proxy
Out of scope
- nplinedesign.com (parent operator infra)
- Third-party CDN issues outside our config
- Spam/phishing reports (→ [email protected])
- DDoS or volumetric testing
- Social engineering of AskBaily staff
- Physical-security attacks
Safe harbor
Modeled on Disclose.io Core Terms. Security research performed in good faith and compliant with this policy is authorized, considered beneficial, and will not trigger legal action by AskBaily. You must:
- Report within 7 days of discovery
- Avoid accessing, modifying, deleting, or exfiltrating user data beyond the minimum required to demonstrate the issue
- Not publicly disclose before a coordinated fix has shipped (we commit to a 90-day disclosure deadline)
- Not test DDoS, brute-force credential stuffing, or volumetric attacks
- Respect deny-lists: production partner GC contact information, homeowner PII, any data classified as GDPR/CCPA/DPDP protected
Response SLA
- Initial acknowledgment within 48 hours
- Severity triage within 5 business days
- Critical/high-severity fix targeted within 7 days; medium/low within 30 days
- Coordinated public disclosure once a fix has shipped and customer communications are complete
Acknowledgments
Researchers who responsibly disclose verified vulnerabilities are acknowledged here (with their consent). The list is maintained chronologically. For confidential acknowledgment, let us know in the disclosure email.
No public entries yet. Submit responsibly — you could be first.