Security

Vulnerability disclosure policy

We welcome reports from security researchers acting in good faith. This policy defines what's in scope, how to reach us, what to expect, and the safe harbor we extend.

Machine-readable contact details: /.well-known/security.txt (RFC 9116).

Scope

saiba.dk and its public subdomains (e.g. preview.saiba.dk).
First-party Saiba-operated infrastructure that backs those domains.
Public Saiba GitHub organisation: SAIBASPACE.

Out of scope

Denial-of-service (DoS / DDoS) testing, volumetric or otherwise.
Social engineering of staff, partners, or customers (including phishing).
Physical attacks against Saiba offices or staff.
Findings against third-party hosted services (Hetzner, Supabase, Vercel, etc.) — please report those upstream and let us know.
Self-XSS, missing security headers without a demonstrable impact, and best-practice nudges without a concrete vulnerability.

How to report

Email: gus@nearweek.com (use subject line prefix [security]).
GitHub security advisory: SAIBASPACE/saiba-internal/security.
PGP: not yet provisioned. Until then, send minimal details by email and we'll coordinate a secure channel.

Please include: a description, reproduction steps, affected URL or component, impact assessment, and any proof-of-concept materials.

What to expect

Acknowledgment within 72 hours of receipt.
Triage and status update within 7 days.
Fix timeline driven by severity:
- Critical: target mitigation within 7 days.
- High: target fix within 30 days.
- Medium: target fix within 90 days.
- Low: tracked, scheduled with the next reasonable release.
Public credit (with your consent) on the trust page acknowledgments after a fix ships.

Safe harbor

Saiba will not pursue legal action against researchers who, in good faith, follow this policy. That means: do not access, modify, or destroy data beyond what's needed to demonstrate impact; do not degrade availability for other users; do not exfiltrate data; report promptly and give us a reasonable window to fix before public disclosure.

If you're unsure whether what you want to test is in scope, ask first — we'd rather collaborate than litigate.

Hall of fame

Researchers who have responsibly disclosed issues will be listed here, with their permission. The list is currently empty — be the first.