Security & Vulnerability Disclosure Policy

If you believe you’ve found a security vulnerability, please email us at security@curedbycarnivore.com. Include a clear description, steps to reproduce, potential impact, and any proof-of-concept you can share.

• Encrypting reports is optional. If you require PGP, contact us and we can coordinate a secure key exchange.
• We accept anonymous reports, but we may be unable to provide updates without a reply channel.
• For time-sensitive or actively exploited issues, please clearly mark the subject as “URGENT”.

Our machine-readable security policy is also published at /.well-known/security.txt.

This policy covers all assets and services operated under the curedbycarnivore.com domain, including:

• Primary website and content at curedbycarnivore.com
• Public APIs and endpoints exposed by the site
• Client-side JavaScript delivered from our domain

Third-party platforms, integrations, and services are generally out of scope unless explicitly stated otherwise, but we welcome reports that help us remediate supply chain risks.

We support responsible disclosure and will not pursue legal action against researchers acting in good faith who:

• Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
• Only test against assets in scope and respect rate limits
• Provide us reasonable time to remediate before public disclosure
• Comply with all applicable laws

If you follow these principles, we consider your research authorized and will work with you to understand and resolve the issue.

• Acknowledgment: We aim to acknowledge receipt within 3 business days.
• Initial assessment: Triage and prioritization typically within 5–10 business days.
• Remediation: Timeframes vary by severity and complexity; we will provide updates as we progress.
• Disclosure: By default we recommend 90 days for coordinated disclosure, but we are open to reasonable adjustments.

• No DDoS, spam, social engineering, or physical attacks.
• No automated scanning that overwhelms the service; keep request rates reasonable.
• Do not access, modify, or exfiltrate data that is not yours.
• Use test accounts where possible; avoid impacting real users.
• Respect robots.txt and any published API rate limits.

• Reports that only describe best practices without a specific, actionable vulnerability
• Missing security headers that do not lead to a concrete exploit
• Clickjacking on pages without sensitive state-changing actions
• Self-XSS or issues requiring a victim to paste malicious code into the browser console
• Use of outdated libraries without a demonstrable exploit path
• Low-impact CSRF on non-sensitive actions

We currently do not operate a public bug bounty program. We may, at our discretion, offer swag or a token of appreciation for high-impact reports. Your research time is valuable—thank you for helping us keep users safe.

With your permission, we are happy to credit researchers who responsibly disclose verified vulnerabilities. If you would like acknowledgment, please let us know how to attribute your contribution.