Vulnerability Disclosure Policy

We're grateful for the security community's help in keeping Cadences.work safe. This page sets out how to report an issue, what you can expect from us, and what we ask of you.

How to report

Email security@cadences.work. A PGP key is available on request for sensitive disclosures.

Please include:

• A description of the issue and its potential impact
• Steps to reproduce, ideally with a proof-of-concept
• Your name or handle if you'd like to be credited

What we commit to

• Acknowledge your report within 2 business days
• Provide a status update within 7 business days
• Validate, fix, and (where appropriate) credit you in our release notes

Scope

In scope: any system at *.cadences.work, the Cadences.work API, and our public source code repositories.

Out of scope:

• Sub-processor infrastructure — please report directly to Vercel, Supabase, OpenAI, etc., per their disclosure programmes
• Denial-of-service testing
• Physical attacks against our office or staff
• Social engineering

Safe harbour

We will not pursue legal action against researchers acting in good faith under this policy, provided you:

• Do not exfiltrate data beyond what is necessary to demonstrate the issue
• Do not degrade availability of the service
• Give us a reasonable window to remediate before public disclosure (≥90 days, or sooner by mutual agreement)

No bug bounty (yet)

We do not currently offer monetary rewards. As we grow we expect to introduce a structured programme; meanwhile we credit researchers in our release notes and on this page.

Hall of fame

No reports yet. Be the first.