Responsible disclosure

Report a security vulnerability.

Found a security issue in VitaLog? Send it directly to security@vitalog.io. We treat security reports as the highest-priority inbox, respond within 48 hours, and offer safe-harbor protection for good-faith research.

Effective: 2026-05-06 · security.txt: /.well-known/security.txt

TL;DR

Email security@vitalog.io. PGP key below if you'd like to encrypt.
Response within 48 hours; triage decision within 5 business days.
Safe harbor for good-faith research that follows the rules below.
No paid bounty program today, we offer public credit and warm thanks.
Coordinated disclosure: please give us 90 days before public disclosure.

In scope

The production application at vitalog.io and app.vitalog.io (once Phase B ships).
The API at pepboard-api.ecokalle.workers.dev and any future api.vitalog.io origin.
Static marketing pages on vitalog.io.
Authentication, session handling, CSRF, and authorization across the API.
Data-isolation issues (one user accessing another user's data).
Cryptographic flaws in the client-side photo encryption.
Server-side request forgery, injection, deserialization, and similar OWASP Top-10.
Account takeover, password-reset abuse, 2FA bypass.
Stored or reflected XSS bypassing the CSP.

Out of scope

Issues in third-party services we depend on (Cloudflare, Neon, Resend), report those to the vendor directly.
Self-hosted forks or community deployments, we control only our own production.
Denial-of-service via volumetric attacks, application-layer flooding, or reflective amplification.
Social engineering of staff or contractors.
Physical attacks on infrastructure.
Outdated or "best-practice" recommendations that aren't tied to a specific exploitable issue (e.g., "you should use header X" without a working PoC).
Reports from automated scanners with no manual verification.
Missing security headers when no exploit chain is shown.
Email spoofing where SPF / DKIM / DMARC are correctly configured.
Self-XSS that requires the user to paste attacker-controlled JS into their own console.
Clickjacking on pages without sensitive actions.
UI/UX issues that aren't security-relevant.

Safe harbor

When you research security issues in VitaLog in good faith, comply with the rules below, and report what you find:

We will not pursue civil action or initiate criminal action against you.
We will not refer you to law enforcement.
We will not require you to take down your published research, provided you respect the coordinated-disclosure timeline below.
We waive Sections 1030 (US CFAA), the equivalent provisions of Sweden's Brottsbalken kap. 4 §9c, and similar laws in other jurisdictions to the extent applicable to your good-faith research.

This protection extends only to security research conducted in compliance with this policy. Acting in bad faith, accessing data beyond what's needed to demonstrate the issue, or harming users voids it.

Rules of engagement

To stay inside safe harbor:

Do not access, modify, exfiltrate, or destroy data belonging to anyone except yourself or a test account you control.
Do not attempt to brute-force credentials of real accounts. Create a test account if needed.
Do not run scanners that generate sustained or high-rate traffic. If you need to test rate-limiting, coordinate with us first.
Do not perform testing that degrades service for other users (DoS, lock contention, etc.).
Do not pivot from a discovered vulnerability into deeper systems unless it's necessary to demonstrate impact, and even then, stop at the minimum proof-of-concept.
If you accidentally encounter user data, stop, do not save it, and tell us in your report.
Do not publicly disclose before our 90-day coordinated-disclosure window expires (or sooner if we agree).

How to report

Email security@vitalog.io with:

A clear description of the issue and its impact.
Reproduction steps, including any test-account credentials you used.
Affected URL / endpoint / component.
Whether you've shared this with anyone else (we ask for coordinated disclosure but understand if you've already filed elsewhere).
Your preferred name (or pseudonym) for public credit, plus any links you'd like included.

PGP encryption is welcome. Our public key fingerprint and full key are published below and at /.well-known/security.txt + /.well-known/pgp-key.txt.

Response timeline

≤ 48 hours: acknowledge receipt.
≤ 5 business days: initial triage; we tell you whether we've reproduced it and how we're treating severity.
Critical / high: mitigation deployed within 7 days; full fix within 30 days.
Medium / low: fix within 90 days.
Disclosure: we publish a credit + summary on this page once the fix is deployed and you've confirmed.

PGP key

Plain email to security@vitalog.io is fine for an initial report. PGP key will be published at /.well-known/pgp-key.txt when ready; if you need to encrypt before then, mention it in your initial email and we'll arrange a secure channel.

Hall of thanks

Researchers who've helped make VitaLog more secure (with their permission to be named):

No reports yet, this section turns into a list as reports come in. Be the first.