← Help

Reporting a vulnerability

We take security reports seriously and respond fast. Thank you for looking.

Channels

  • Preferred: security@inboxy.net — PGP key at https://inboxy.net/.well-known/pgp-key.asc.
  • Public key fingerprint: published in https://inboxy.net/.well-known/security.txt.
  • Reference for either: the same security.txt file is the canonical entry point.

If the issue is being actively exploited and you cannot wait for an email reply, indicate "active exploitation" in the subject line. The mailbox pages.

Scope

In scope:

  • *.inboxy.net — web, API, MCP server, admin, link interposer.
  • The browser extension(s) once published.
  • The classifier / sender / digest workers — anything reachable via inboxy's domains.

Out of scope:

  • Reports about third-party services we use (Cloudflare, Workers AI, the AI Gateway) — please report those to the vendor; we will track the dependency.
  • Social-engineering attacks against staff.
  • Denial-of-service or resource-exhaustion attacks without a creative twist (we know rate-limits are imperfect).
  • Issues only reproducible on outdated browsers (older than two stable major versions).

Safe-harbour

If you act in good faith — limited testing, no exfiltration of other users' data beyond what's needed to demonstrate the issue, prompt disclosure to us, no public disclosure before we've had a reasonable chance to fix — we will not pursue legal action against you for the research itself.

"Good faith" specifically permits creating throwaway inboxy accounts to test cross-tenant isolation. It does not permit testing against other real users' accounts.

Timeline

  • Acknowledge within 72 hours, usually within 24.
  • Triage and severity within 5 business days.
  • For SEV-1 / SEV-2: fix and deploy as quickly as the engineering team can move (usually hours to a few days).
  • We coordinate public disclosure with you. Default is 90 days after fix; we will accommodate earlier disclosure if you prefer.

Rewards

We do not yet run a formal bug bounty. We will publicly credit (with your consent) any reporter whose finding leads to a meaningful fix, in the relevant commit and on the security.txt acknowledgements section.

Don't include

  • Real user data, even your own — describe the bug with minimal reproduction.
  • Working exploits for issues with a viable patch unless you've confirmed deploy.
  • Each other's findings — please don't aggregate other researchers' reports into yours.

Still need help? support@inboxy.net