Security disclosure

If you've found a security issue on combineops.com, please report it. We don't sue researchers acting in good faith.

How to report

Email [email protected] with subject line "Security:". Include:

• Description of the vulnerability and its impact.
• Steps to reproduce.
• Affected URL(s) or component.
• Your suggested fix, if you have one.

Use the published /.well-known/security.txt as the canonical contact reference.

What you can expect from us

• Acknowledgment within 3 business days.
• A first triage assessment within 7 business days.
• Regular status updates until the issue is resolved.
• Credit in our (future) acknowledgments page if you'd like.
• No legal action against researchers who report in good faith and follow this policy.

Safe harbor — what counts as good faith

• Make a good-faith effort to avoid privacy violations, destruction of data, and interruption of service.
• Don't access more data than necessary to demonstrate the vulnerability.
• Don't share details with anyone else until we've had a reasonable chance to fix.
• Don't test our infrastructure providers (Cloudflare, Vercel, Supabase, Stripe) — report those to them directly.
• Don't test physical or social-engineering attacks.

Out of scope

• Vulnerabilities in third-party services we use — please report directly to them.
• Self-XSS, social engineering, and physical attacks.
• Findings from automated scanners without evidence of exploitability (please verify before reporting).

Bounty

We do not currently offer monetary bounties. We do offer public credit and a sincere thank-you. This may change as we grow.

← back to the splash

Last updated: 2026-05-29.