Security & Responsible Disclosure

Email: security@pflichtpilot.app

Machine-readable contact details per RFC 9116: /.well-known/security.txt

We confirm receipt within 5 business days. We review the report, coordinate a disclosure timeline if confirmed, and credit you in the changelog as a finder if you wish.

For critical findings we prioritize the fix and notify you ahead of the release.

We do not run a bug bounty program. There are no monetary rewards, no fixed SLA response times, and no automated platform handling. PflichtPilot is currently built by one person — please understand response times in that context.

Concrete reports with reproducer steps. If possible, test against the staging environment (staging.pflichtpilot.app) rather than production.

Reports about: authentication / authorization gaps, data injection, access to other accounts, RLS bypass, Stripe endpoint manipulation, XSS, CSRF, open redirect, exposed secrets.

Tests that affect other users' accounts or data. Denial-of-service attempts. Social engineering against people or support. Automated vulnerability scans against production without prior coordination. Reports about missing “defense-in-depth” headers or purely theoretical risks without a reproducible exploit path.

In scope: pflichtpilot.app, staging.pflichtpilot.app, all subdomains, the web app surface, the Edge Functions, the Stripe integration.

Out of scope: third-party platforms (Supabase, Stripe, Cloudflare, hosting provider) — please report directly to them.