Legal

Security disclosure policy

Effective 19 May 2026 · plain-English summary above each clause; the binding terms are the clauses themselves.

If you've found a security issue in Apexkit, this page tells you how to report it, what we promise to do in response, and what's out of scope. We're a small team — but every report gets a human reply, usually within a working day.

01What's in scope

The following surfaces are in-scope for security reports:

  • apexkit.pro — the marketing site, authenticated app at /app/*, and every API route under /api/*
  • Authentication flows (Supabase Auth wrappers, OAuth callbacks, magic links, password reset)
  • Billing integration (Stripe Checkout, Stripe Customer Portal, webhook signature handling)
  • File handling (Cloudflare R2 uploads, signed-URL generation, PII handling)
  • Tier-enforcement / usage-counter / rate-limit logic

02What's out of scope

These are valid concerns elsewhere but not eligible for Apexkit responsible disclosure — please don't spend time on them:

  • Denial-of-service / volumetric attacks (we have CDN-level mitigations)
  • Self-XSS that requires the victim to paste attacker-controlled input into their own console
  • Missing security headers without a demonstrable exploit (CSP, HSTS, etc. — we'll improve these on our own cadence)
  • Reports from automated scanners with no proof-of-concept (we won't triage Burp/ZAP raw output)
  • Findings against third-party services (Stripe, Supabase, Cloudflare, OpenAI) — please report those to the respective vendors
  • Issues affecting only outdated browsers / unsupported OS versions
  • Email spoofing / SPF / DKIM / DMARC misconfigurations (we're aware)

03How to report

Email hello@apexkit.prowith the subject line “Security report”. Include:

  • A description of the issue and the impact you believe it has
  • Step-by-step reproduction (curl commands, sample payloads, screenshots — whatever makes it reproducible)
  • The handle or name you'd like credited (or “anonymous”)

If the issue involves user data, please don't test against accounts that aren't yours. Test accounts you create yourself are fine.

For PGP-encrypted reports: we don't publish a key today. If you need one we'll create a fresh one on request — email us first to ask.

04What we'll do

Our commitments to every good-faith report:

  • Acknowledge within 1 business day (UK working hours, weekends best-effort)
  • Triageand tell you whether it's in-scope and confirmed within 5 business days
  • Fix or mitigate confirmed issues within 30 days; critical issues (account takeover, data exfiltration, billing manipulation) are prioritised and usually shipped within 48 hours
  • Disclose the fix in the public /changelog, crediting you (with your consent)

If a fix takes longer than 30 days we'll keep you updated; we won't ghost you mid-thread.

05Safe harbor

We will not pursue legal action against you for security research that:

  • Is conducted in good faith — you're trying to help us fix bugs, not exploit users
  • Doesn't access, modify, or exfiltrate other users' data (use test accounts you control)
  • Doesn't degrade service for other users (no automated DoS, no rate-limit bypass scripts left running)
  • Gives us a reasonable window to fix the issue before any public disclosure (we suggest 90 days from initial report; we'll usually ship far sooner)
  • Doesn't violate UK / EU law, GDPR, or the Computer Misuse Act 1990

If you stay within these lines and your report is sent to hello@apexkit.pro, you have our explicit authorisation to test for vulnerabilities against in-scope surfaces.

06Rewards & acknowledgments

We don't currently run a paid bug bounty programme — we're a single-operator company and we can't responsibly commit to payouts. That may change once we're at scale; if and when it does, this section will say so.

What we do offer:

  • Public credit in our changelog for confirmed reports, with the handle / name and link you specify
  • Free Apexkit Profor 12 months for any confirmed high-severity finding (account takeover, billing manipulation, data exfiltration). Email us and we'll arrange the comp.
  • Speed and respect — no “closed as duplicate” with no explanation, no months of silence

07Machine-readable

The canonical machine-readable version of this policy lives at /.well-known/security.txt per RFC 9116. If you're running automated tooling and the file there contradicts anything on this page, the contact email is authoritative — please reach us that way and we'll square the records.

Questions about this policy that aren't themselves security reports? Email hello@apexkit.pro — happy to clarify scope before you spend research time.