Security & Responsible Disclosure

Email: security@pflichtpilot.app

Machine-readable contact details per RFC 9116: /.well-known/security.txt

We confirm receipt within 5 business days. We review the report, coordinate a disclosure timeline if confirmed, and credit you in the changelog as a finder if you wish.

For critical findings we prioritize the fix and notify you ahead of the release.

We do not run a bug bounty program. There are no monetary rewards, no fixed SLA response times, and no automated platform handling. PflichtPilot is currently built by one person — please understand response times in that context.

Concrete reports with reproducer steps. If possible, test against the staging environment (staging.pflichtpilot.app) rather than production.

Reports about: authentication / authorization gaps, data injection, access to other accounts, bypass of the database permission check, Stripe endpoint manipulation, XSS, CSRF, open redirect, exposed secrets.

Tests that affect other users' accounts or data. Denial-of-service attempts. Social engineering against people or support. Automated vulnerability scans against production without prior coordination. Reports about missing “defense-in-depth” headers or purely theoretical risks without a reproducible exploit path.

In scope: pflichtpilot.app, staging.pflichtpilot.app, all subdomains, the web app surface, the Edge Functions, the Stripe integration.

Out of scope: third-party platforms (Supabase, Stripe, Cloudflare, hosting provider) — please report directly to them.