Security

Report a vulnerability

If you have found a security issue, please email us before disclosing it publicly. We handle all reports confidentially.

Contact: security@whatdoiowe.cy

What we promise

• First response within 72 hours of receipt.
• 90-day coordinated disclosure window — we will work with you before any public release.
• We will acknowledge your contribution in our hall of fame, unless you prefer to remain anonymous.

Scope

The following are in scope:

• whatdoiowe.cy and all subdomains (*.whatdoiowe.cy)
• The Fly.io worker that powers the scraper pipeline

Out of scope

The following are outside the scope of this program. Please do not test or report them:

• Denial-of-service attacks (DDoS or application-layer)
• Social engineering of our team or users
• Third-party services we rely on but do not control: Clerk, Stripe, Vercel, Neon, Upstash, Sentry

Hall of fame

Researchers will be acknowledged here once we have our first report.