security.txt published at /.well-known/security.txt

Security Policy

We take the security of customer data seriously and welcome reports from independent researchers under a coordinated disclosure model.

Contact
security@digitalbar.ai
Response SLA
1 business day acknowledgment
Recognition
Hall of fame; swag for impactful reports

Scope

In scope:

  • digitalbar.ai and all subdomains
  • platform.digitalbar.ai (authenticated app)
  • Public API endpoints under /functions/v1/api-*
  • Authentication flows, RLS bypass, tenant isolation issues

Out of scope:

  • Social engineering, physical attacks, denial-of-service
  • Findings on third-party services (report to the vendor)
  • Missing security headers without a demonstrable exploit
  • Automated scanner output without proof of concept

How to report

  1. Email security@digitalbar.ai with a clear description, reproduction steps, and impact assessment.
  2. We acknowledge within 1 business day.
  3. We triage severity, share an ETA, and keep you updated until resolution.
  4. After remediation, we publicly credit you (with your permission) on the trust page.

Safe harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations and data destruction
  • Only interact with accounts you own or have explicit permission to test
  • Do not exfiltrate data beyond what's needed to demonstrate the vulnerability
  • Give us reasonable time to fix the issue before public disclosure

PGP

For sensitive reports, request our PGP key at security@digitalbar.ai.