# Startupkit VDP — Vulnerability Disclosure Program > Startupkit operates a vulnerability disclosure program. Security researchers can report vulnerabilities through the process described below. Startupkit is a toolkit for startups — simpler, affordable alternatives to expensive SaaS tools. We take security seriously and welcome responsible disclosure from the research community. If you've found a vulnerability affecting startupkit.app or its subdomains, we'd love to hear from you. ## Scope ### In Scope - startupkit.app - app.startupkit.app - api.startupkit.app - security.startupkit.app - careers.startupkit.app ### Out of Scope - Social engineering of Startupkit employees or contractors - Denial of service (DoS/DDoS) attacks - Physical access attacks or attacks requiring physical access to a user's device - Self-XSS (requires victim to run attacker-supplied code in their browser) - Clickjacking on pages without sensitive actions - Missing security headers or best practices without a demonstrated exploit (e.g. missing CSP, HSTS, DNSSEC) - Password or account policy reports without a demonstrated security impact (complexity, lockout policy, etc.) - CSRF on logout - Open redirects without demonstrated security impact - Vulnerabilities in third-party services or libraries used by Startupkit - Rate limiting or brute-force issues without a realistic attack scenario - SSL/TLS version or cipher configuration issues without demonstrated exploit - Disclosure of non-sensitive information (software versions, server banners, etc.) - Email spoofing or SPF/DMARC issues without a realistic phishing scenario ## Response Times - Acknowledgment: within 72 hours ## Safe Harbor Any activities conducted in a manner consistent with this policy will be considered authorized conduct. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. ## Disclosure Policy We follow coordinated disclosure. Please give us **90 days** to triage and address a reported vulnerability before publishing details publicly. We'll keep you updated on our progress and acknowledge your contribution once the issue is resolved. - Report via the form on this page - We'll acknowledge receipt within **48 hours** - We aim to resolve critical issues within **14 days** and other issues within **90 days** - We do not pursue legal action against researchers who act in good faith - We ask that you do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability ## How to Report Submit a vulnerability report at: https://security.startupkit.app/report > Important: Reports must be submitted personally by the researcher through the web form linked above. Do not submit reports programmatically — automated submissions are rate-limited and may be flagged as spam.