Responsible Disclosure Policy

How to Report

Email security@scorchpad.rsaatlabs.com with a clear description of the issue, reproduction steps, and any supporting evidence. Encrypt sensitive reports with our PGP key at /pgp-key.txt.

Response Timeline

• AcknowledgmentWithin 48 hours of receiving your report.
• TriageWithin 5 business days.
• Critical fixWithin 7 days of confirmed reproduction.
• DisclosureCoordinated — we will notify you before publishing any advisory.

In Scope

• Zero-knowledge encryption model (AES-256-GCM, PBKDF2 implementation)
• API route vulnerabilities (injection, broken access control, IDOR)
• Authentication or authorization bypass (Clerk session handling)
• Rate limit bypass on paste creation or password verification
• Information disclosure (paste content, decryption keys, raw IPs)
• Burn-after-reading race conditions or atomicity failures
• CSP bypass or XSS via decrypted paste rendering
• URL fragment leakage (key appearing in server logs, Sentry events, Referer headers)

Out of Scope

• Social engineering or phishing of ScorchPad staff
• Physical access to infrastructure
• Vulnerabilities in third-party services (Clerk, Vercel, Upstash, Sentry)
• Denial-of-service attacks
• Automated scanning without prior coordination
• Reports requiring unlikely user interaction or non-default browser settings

Safe Harbour

We will not pursue legal action against researchers who act in good faith, avoid accessing or modifying data belonging to other users, and report findings to us before public disclosure. We ask that you avoid disrupting production services during investigation.

Hall of Fame

We publicly credit researchers who responsibly disclose valid vulnerabilities. Recognition is listed here after the fix ships and coordinated disclosure is complete. Thank you to everyone who has contributed.

— No entries yet. Be the first.