Security Disclosure

How to report a vulnerability

If you believe you've found a security vulnerability in Docually — whether it affects our static site, Cloudflare Worker API, or third-party integrations — please do not open a public GitHub issue. Instead, contact us privately.

🔒 Private disclosure

Send your report to our security team. We aim to acknowledge all reports within 48 hours.

security@docually.com

Alternatively, use the Contact page and select "Security disclosure" as the inquiry type.

📋 What to include in your report

• Description of the vulnerability and its potential impact
• Step-by-step reproduction instructions
• Affected URL, endpoint, or component
• Any supporting evidence (screenshots, proof-of-concept, logs)

Scope

The following assets are in scope for responsible disclosure:

Asset	Status	Notes
docually.com (Pages static site)	In scope	All HTML pages and public-facing frontend
Cloudflare Worker API endpoints	In scope	Auth, contact form, future edge-mode tools
Authentication flow (GitHub SSO, email/password)	In scope	Phase 2 — when live
Client-side tool processing (pdf-lib, Tesseract.js)	In scope	Local-mode security, data leakage
Third-party CDN scripts (unpkg, cdnjs)	Out of scope	Report to the CDN/library maintainers
Cloudflare infrastructure itself	Out of scope	Report via HackerOne → Cloudflare
Social engineering / phishing	Out of scope	Not a product vulnerability

Our response process

Day 1–2

Acknowledgement

We confirm receipt and assign the report to a reviewer. You'll get a reference ID.

Day 3–7

Triage & verification

We reproduce and classify the issue by severity (Critical / High / Medium / Low).

Day 7–30

Fix & patch

We develop and deploy a fix. Timeline depends on severity — critical issues are patched within 7 days.

Post-fix

Disclosure coordination

We coordinate with you on public disclosure timing. We follow a 90-day default disclosure window.

PGP encryption

For sensitive reports, you may encrypt your email using our PGP public key. Key publishing is planned for Phase 2 — in the meantime, contact us via the secure form on the Contact page using the "Security disclosure" inquiry type, which routes to a monitored private channel.

⚠️ No public disclosure before fix

Please do not publicly disclose details of a vulnerability before we have had a reasonable opportunity to fix it. We commit to acting promptly and keeping you informed throughout the process.

Responsible disclosure guidelines

Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability.
Do not perform denial-of-service attacks or actions that degrade service reliability.
Do not use automated scanners against production systems without prior approval.
Stop testing and report immediately if you access any personal or sensitive data.
Test against your own accounts — never against other users' data.

Researchers who follow these guidelines will not face legal action from Docually in connection with their research, and we will treat your report in good faith.

Acknowledgements

We maintain a security acknowledgements page for researchers who responsibly disclose valid vulnerabilities. If you would like to be credited publicly, please let us know in your report.

Currently: No reports received yet — be the first.

This policy was last updated: 2026-02-22. Questions about this policy? Contact us.