Security policy
We take security seriously. If you've found a vulnerability, please report it through the channels below — we'll respond promptly.
How to report
Email security@steep.shashankthattai.dev with:
- A clear description of the issue and impact
- Steps to reproduce (with a non-destructive proof-of-concept)
- Any affected URLs, accounts, or endpoints
- Your name + how you'd like to be credited (or anonymous)
PGP key on request — reply with one if you'd like an encrypted thread.
In scope
- Anything on
steep.shashankthattai.devand its subdomains - API endpoints under
/api/* - Authentication / authorization issues
- Payment-flow / webhook-handling vulnerabilities
- Server-side data exposure (PII, payment metadata)
- Cross-site scripting, CSRF, server-side request forgery
- Privilege escalation between user accounts or to admin
Out of scope
- Findings already disclosed in our published audits or roadmap
- Denial-of-service / volumetric attacks against production
- Findings against third-party services (Stripe, Supabase, Vercel) — report those upstream
- Missing security headers without a concrete exploit path
- Self-XSS / clickjacking on pages with no sensitive actions
- Password-policy disagreements (we follow Supabase defaults)
What to expect
- Within 48h: acknowledgement that we received your report
- Within 7 days: triage decision (in-scope / out-of-scope / dup)
- Within 30 days: fix shipped or timeline communicated
- After fix: public credit on this page (with permission), and notification to you
Rewards
We're a small indie store and don't yet run a paid bounty program. For valid reports we offer:
- Public credit on this page (or anonymous if you prefer)
- A handwritten thank-you and steep merch when we have any
- Lifetime free access to all steep digital products
For severe findings (RCE, mass PII exposure) we'll do something more — reach out and we'll figure it out together.
Safe harbor
We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid harm to users, services, or data
- Test only against accounts you own or have explicit permission to test
- Disclose privately to us first and give us reasonable time to fix
- Avoid public disclosure until we've shipped a fix or 90 days have passed
Acknowledgements
Thanks to the following researchers for responsibly disclosed findings:
(Be the first — your name goes here.)
See also: /.well-known/security.txt (machine-readable per RFC 9116).