Security
Find a hole. Tell us.
We take platform security seriously. If you find a vulnerability, disclose it responsibly and we'll fix it fast. This page is mirrored at /.well-known/security.txt per RFC 9116.
Contact
Email security@tattooos.ink with a description, reproduction steps, and the impact you observed. PGP key on request.
Scope
In scope:
- •
tattooos.ink+tattooos.skin(production) - • Authentication, authorization, session management
- • Data exposure, IDOR, SQL injection, XSS, CSRF
- • Server-side request forgery, deserialization bugs
- • Stripe webhook + agent cron + email inbound endpoints
Out of scope:
- • Denial-of-service, rate-limit bypass at scale (don't)
- • Reports relying on outdated browsers, social engineering, physical attacks
- • Self-XSS, clickjacking on logged-out pages without state change
- • Issues in third-party services we depend on (Vercel, Stripe, Anthropic, Resend) — disclose to them directly
Response
- • Acknowledgement within 48 hours
- • Triage + severity within 5 business days
- • Public disclosure coordinated with reporter — we don't embargo without consent
- • Credit on a public Hall of Thanks unless you prefer anonymity
Bug bounty
No formal monetary program yet. Material findings earn a thank-you, credit, and lifetime ENTERPRISE-tier access. We'll add a paid program once volume warrants.
Related
- • /privacy — privacy policy
- • /cookies — cookie disclosure
- • /terms — terms of service
- • /app/settings/account — data export + deletion