# Security

Contact: [security@weise.org](mailto:security@weise.org)

Based on [https://supabase.com/.well-known/security.txt](https://supabase.com/.well-known/security.txt)

I consider the security of web systems a top priority. But no matter how much
effort I put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, I would like to know about it so I can take
steps to address it as quickly as possible. I would like to ask you to help me
better protect my and anyone else's web systems.

## Out of scope vulnerabilities

- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Any activity that could lead to the disruption of my web systems (DoS).
- Content spoofing and text injection issues without showing an attack
  vector/without being able to modify HTML/CSS.
- Email spoofing
- Missing DNSSEC, CAA, CSP headers
- Lack of Secure or HTTP only flag on non-sensitive cookies
- Deadlinks

## Please do the following

- E-mail your findings to [security@weise.org](mailto:security@weise.org).
- Do not run automated scanners on my infrastructure or dashboard. If you wish
  to do this, contact me and I will set up a sandbox for you.
- Do not take advantage of the vulnerability or problem you have discovered,
  for example by downloading more data than necessary to demonstrate the
  vulnerability or deleting or modifying other people's data,
- Do not reveal the problem to others until it has been resolved,
- Do not use attacks on physical security, social engineering, distributed
  denial of service, spam or applications of third parties,
- Do provide sufficient information to reproduce the problem, so I will be
  able to resolve it as quickly as possible. Usually, the IP address or the URL
  of the affected system and a description of the vulnerability will be
  sufficient, but complex vulnerabilities may require further explanation.

## What I promise

- I will respond to your report within 3 business days with my evaluation of
  the report and an expected resolution date,
- If you have followed the instructions above, I will not take any legal
  action against you in regard to the report,
- I will handle your report with strict confidentiality, and not pass on your
  personal details to third parties without your permission,
- I will keep you informed of the progress towards resolving the problem,
- In the public information concerning the problem reported, I will give your
  name as the discoverer of the problem (unless you desire otherwise), and
- I strive to resolve all problems as quickly as possible, and I would like to
  play an active role in the ultimate publication on the problem after it is
  resolved.