# Security Policy

Thank you for taking the time to investigate the security of Observance. We treat security reports seriously and will work with you to validate, fix, and disclose responsibly.

## Reporting a vulnerability

**Email**: [security@observance.dev](mailto:security@observance.dev)

**PGP**: available on request — reply to the same address asking for the public key.

Please include:

- A description of the issue and its impact.
- Steps to reproduce (curl commands, payloads, or a minimal proof-of-concept).
- The component affected (API, developer console, landing site).
- Your name or handle if you'd like attribution in the disclosure.

**Do NOT** open a public GitHub issue, post on social media, or share the details with third parties before we have had a chance to respond.

## Response timeline

- **Acknowledgement**: within **72 hours** of receipt.
- **Initial assessment** (severity + scope): within **7 days**.
- **Fix or mitigation in production**: within **30 days** for high-severity issues; lower-severity issues are scheduled into the next regular release.
- **Public disclosure**: coordinated with the reporter — by default we aim to publish within **90 days** of the report, sooner if a fix is already shipped.

## Scope

In scope:

- The API at `api.observance.dev` and any subdomain serving Observance services.
- The developer console at `console.observance.dev`.
- The marketing landing at `observance.dev`.
- Code in this repository (`observance-api`) and the companion `observance-console` repository.

Out of scope (please do not test):

- Denial-of-service attacks against the live service.
- Social engineering of Observance staff or customers.
- Physical attacks against infrastructure.
- Vulnerabilities in third-party dependencies (please report those to the upstream maintainer; if the vulnerability is exploitable in the way Observance integrates the dependency, that part is in scope).
- Findings from automated scanners that do not include a working proof-of-concept.

## Out-of-band channels (PayPal / Resend)

Observance integrates PayPal for billing and Resend for transactional email. Vulnerabilities in those services should be reported to the respective vendors. If a flaw in our integration leaks data or escalates privileges, that is in scope here.

## Recognition

If you'd like to be credited, we'll list your name (or chosen handle) in the disclosure note when the fix ships. We do not currently run a paid bug-bounty program, but we are happy to send a small thank-you (a postcard, a t-shirt) for substantive reports.

## What this policy is NOT

- This document is not a contract.
- It does not authorize testing that violates applicable law.
- It does not waive any rights Observance has to enforce its terms of service against destructive or out-of-scope testing.

Last updated: 2026-05-08.