Startupkit VDP

Vulnerability Disclosure Policy — Startupkit VDP

Startupkit is a toolkit for startups — simpler, affordable alternatives to expensive SaaS tools. We take security seriously and welcome responsible disclosure from the research community. If you’ve found a vulnerability affecting startupkit.app or its subdomains, we’d love to hear from you.

Scope

In Scope

  • startupkit.app
  • app.startupkit.app
  • api.startupkit.app
  • security.startupkit.app
  • careers.startupkit.app

Out of Scope

  • Social engineering of Startupkit employees or contractors
  • Denial of service (DoS/DDoS) attacks
  • Physical access attacks or attacks requiring physical access to a user's device
  • Self-XSS (requires victim to run attacker-supplied code in their browser)
  • Clickjacking on pages without sensitive actions
  • Missing security headers or best practices without a demonstrated exploit (e.g. missing CSP, HSTS, DNSSEC)
  • Password or account policy reports without a demonstrated security impact (complexity, lockout policy, etc.)
  • CSRF on logout
  • Open redirects without demonstrated security impact
  • Vulnerabilities in third-party services or libraries used by Startupkit
  • Rate limiting or brute-force issues without a realistic attack scenario
  • SSL/TLS version or cipher configuration issues without demonstrated exploit
  • Disclosure of non-sensitive information (software versions, server banners, etc.)
  • Email spoofing or SPF/DMARC issues without a realistic phishing scenario

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Disclosure Policy

We follow coordinated disclosure. Please give us 90 days to triage and address a reported vulnerability before publishing details publicly. We’ll keep you updated on our progress and acknowledge your contribution once the issue is resolved.

  • Report via the form on this page
  • We’ll acknowledge receipt within 48 hours
  • We aim to resolve critical issues within 14 days and other issues within 90 days
  • We do not pursue legal action against researchers who act in good faith
  • We ask that you do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability

Response Times

Response Times
We aim to acknowledge reports within 72 hours.

How to Report

Submit your vulnerability report through our secure form.

Submit a Report