ScaleVault

DocsLog In

Security Policy

Reporting a Vulnerability

If you believe you have found a security vulnerability in ScaleVault, please report it to us privately. Do not disclose the issue publicly before we have had a chance to investigate and remediate — it puts other users at risk.

Email us at security@scalevault.app with the subject line: [security] <short summary>

Please include:

  • A description of the issue and the impact you believe it has.
  • Steps to reproduce, or a proof-of-concept if you have one.
  • The affected endpoint or feature, and the version if known.
  • Your name and any handle you'd like credited, or "anonymous" if you prefer.

We aim to:

  • Acknowledge receipt within 3 business days.
  • Provide an initial triage and expected timeline within 10 business days.
  • Keep you informed as we investigate and remediate.

Scope

In scope:

  • The hosted ScaleVault application at scalevault.app and its subdomains.
  • The ScaleVault application codebase, including API routes, queries, and authentication/authorization.
  • Supply-chain issues in declared production dependencies (not transitive dev-only dependencies, unless exploitable through a deployed artifact).

Out of scope:

  • Denial-of-service via brute force against endpoints we already rate-limit, unless you have found a way to bypass the limiter.
  • Reports relying on unrealistic user behavior (e.g. a user installing a malicious browser extension).
  • Attacks requiring a privileged role that is already trusted (an account owner exfiltrating their own data is not a vulnerability).
  • Automated scanner output without a demonstrated impact.
  • Missing security headers on static asset responses.

Safe Harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to follow this policy.
  • Do not intentionally access, modify, or destroy other users' data.
  • Do not publicly disclose the issue before we have had a reasonable opportunity to remediate.
  • Stop as soon as they have enough evidence to demonstrate the issue.

Disclosure

We prefer coordinated disclosure. Once a fix is deployed, we are happy to credit researchers who wish to be named.