ShimayaSHIMAYA
BlogDashboard

Responsible Disclosure

Bug Bounty Program

Security is core to everything we build. If you find a vulnerability, we want to know — and we want to thank you for helping us keep our consultants and their clients safe.

Report a vulnerability

Reward tiers

Critical

Auth bypass, mass data exposure, payment fraud

Public acknowledgement + platform credit

High

Privilege escalation, IDOR affecting multiple users

Public acknowledgement + platform credit

Medium

Stored XSS, CSRF, limited data exposure

Public acknowledgement

Low

Reflected XSS, information disclosure with low impact

Acknowledgement at our discretion

We are a small, bootstrapped team. Rewards are currently non-monetary but we are committed to public acknowledgement and plan to introduce cash rewards as the platform grows.

How it works

01

Discover & document

Reproduce the vulnerability and document clearly: what you found, how to reproduce it, and what the potential impact is. Screenshots or a screen recording are very helpful.

02

Report privately

Email your report to security@shimaya.app with the subject line "[Security Report] <brief description>". Do not post publicly or share with third parties before we've had a chance to fix it.

03

We acknowledge within 72h

We'll confirm receipt and give you a timeline for review. We aim to assess severity within 5 business days and ship a fix within 30 days for critical issues.

04

Coordinated disclosure

Once the fix is live, we'll coordinate public disclosure with you. We'll credit you by name (or anonymously if you prefer) in our security acknowledgements.

In scope

  • Authentication and session management
  • Authorisation bypass (accessing other users' data)
  • SQL injection and database exposure
  • Cross-site scripting (XSS) in the dashboard or public pages
  • Server-side request forgery (SSRF)
  • Insecure direct object references (IDOR)
  • API endpoint authentication and rate-limit bypass
  • Payment flow manipulation (Polar.sh integration)
  • Row-level security (RLS) bypass in Supabase
  • Privilege escalation to admin role

Out of scope

  • Denial of service (DoS/DDoS) attacks
  • Brute-force attacks on login without evidence of a bypass
  • Social engineering of Shimaya staff
  • Physical attacks on infrastructure
  • Third-party services (Supabase, Polar.sh, Resend) — report those to the respective vendors
  • Vulnerabilities requiring root/physical access to a device
  • Issues in libraries that have no impact on Shimaya itself
  • Missing HTTP security headers without demonstrated exploit
  • Rate limiting on non-sensitive endpoints
  • Self-XSS that requires convincing a victim to run code in their browser

Safe harbour rules

We will not pursue legal action against researchers who follow responsible disclosure. To qualify for safe harbour you must:

  • Not access, modify, or delete data belonging to other users beyond what is necessary to demonstrate the vulnerability.
  • Not perform denial-of-service testing.
  • Not disclose the issue publicly until we have shipped a fix and coordinated a disclosure date with you.
  • Report the vulnerability to us in good faith before exploiting it.

Found something?

Email a detailed report to security@shimaya.app. We read every report personally.