Security & Responsible Disclosure

1. Reporting a Vulnerability

If you believe you've found a security vulnerability in DoodleSnap, please email support@doodlesnap.app with the subject line "Security". We aim to acknowledge reports within 72 hours.

2. What to Include

• A clear description of the issue and its potential impact.
• Steps to reproduce, including any proof-of-concept code or screenshots.
• The affected URL(s), endpoint(s), or app component.
• Your contact details (if you'd like credit after a fix ships).

3. Scope

In scope:

• The doodlesnap.app web app and its API endpoints.
• Authentication, authorization, and account security.
• Server-side rendering and data-exposure issues.
• Payment and subscription flows.

Out of scope:

• Findings that require physical access, social engineering, or malware on a user's device.
• Denial-of-service attacks and volumetric testing.
• Issues in third-party providers we integrate with (Supabase, OpenRouter, Dodo Payments, Vercel) — please report directly to them.
• Missing security headers that have no demonstrable impact.

4. Safe Harbor

If you make a good-faith effort to follow this policy — give us reasonable time to respond, don't exfiltrate more data than is necessary to demonstrate the issue, and don't degrade service for other users — we will not pursue legal action against you for your research.

5. Credit

We're happy to credit researchers who responsibly report valid issues once a fix has shipped, subject to your preference for attribution or anonymity. DoodleSnap does not currently run a paid bug-bounty program.

6. PGP / Encrypted Reports

We currently accept plaintext reports by email. If you need to send sensitive findings encrypted, email us first and we'll arrange a channel.