Vulnerability Disclosure Policy

At Paperlust, we care deeply about the safety and security of our customers' data. We value contributions from the security community that help us identify and remediate vulnerabilities across our products and services.

How to report an issue

If you discover a security issue that is in scope (see below), please email tech@paperlust.co with:

  • A clear summary of the vulnerability and its potential impact
  • Step-by-step reproduction instructions (screenshots or video welcome)
  • Details about your testing environment (OS, browser, device)
  • If possible, proof-of-concept (PoC) code demonstrating the issue

Our team will investigate upon receipt. We'll keep you updated on progress and may request additional information to assist our triage and remediation.

Reward Tiers (indicative)

  • Low: non-sensitive info leaks, minor rate-limit bypass.
  • Medium: reflected XSS requiring user interaction, scoped IDOR.
  • High: Examples: auth bypass, privilege escalation, SQLi on sensitive data, widespread stored XSS.

In scope

  • https://paperlust.co
  • https://weddings.paperlust.co
  • https://printshop.paperlust.co
  • Paperlust mobile web and progressive web app experiences
  • Paperlust-owned GitHub apps and repositories

Out of scope

  • Automated scanning or high-volume fuzzing without coordination
  • Social engineering (including of Paperlust employees or partners)
  • Brute force attacks (password or credential stuffing)
  • Distributed denial of service (DDoS) or denial of service (DoS)
  • Clickjacking on pages without sensitive actions
  • Theoretical attacks without demonstrable exploitability
  • Attacks requiring physical access to a victim's device
  • Vulnerabilities in third-party services not operated by Paperlust

Guidelines for testing

  • Test using your own account. If testing with another account, obtain explicit written permission
  • Do not access, copy, modify, or destroy production data
  • Do not disrupt our services or degrade performance
  • Respect our Privacy Policy, Terms of Service, and applicable data protection regulations
  • Do not disclose the vulnerability publicly before reporting it through the process above and allowing us reasonable time to remediate

Responsible disclosure

We appreciate coordinated disclosure. If you follow these guidelines and act in good faith, we will not pursue or support legal action against you for security research conducted within this policy's scope.

Thank you for helping us keep Paperlust secure.