How to report
Email support@voiddo.com with the subject line "Security vulnerability report". One human reads that inbox.
Please include:
- What product or domain is affected (scrb, rankd, voiddo.com, browser extension, etc.)
- Steps to reproduce — the simpler, the faster we fix it
- Your assessment of impact and any proof-of-concept code or screenshots
- Your handle if you'd like credit when we publish a fix
Our response
- Initial reply: within 48 hours during weekdays.
- Triage: we'll confirm reproducibility and assign a severity within 5 business days.
- Fix timeline: critical issues are patched within 7 days. Medium severity within 30. Low severity batched into normal release cycles.
- Disclosure: coordinated disclosure preferred. We'll credit reporters in our release notes unless asked otherwise.
Scope
In scope:
voiddo.com and all *.voiddo.com subdomains- Browser extensions we publish (scrb, rankd, jobmeta, pricepulse, randumb, tabsnap, jsonyo, tokcount, interviewprep)
- npm packages under the
@v0idd0 scope
- Mobile apps we publish (Void Factory, others)
Out of scope:
- Third-party services (Paddle billing, Cloudflare, Google APIs, Resend mail) — report directly to those vendors
- Social engineering against staff
- Physical attacks against our infrastructure
- Denial-of-service via traffic flooding
- Self-XSS without an external attack vector
- Spam or phishing originating from external senders
Safe harbor
If you make a good-faith effort to comply with this policy, we will not pursue legal action against you, even if your testing inadvertently violates other terms. Specifically, we agree to:
- Not pursue civil or criminal action for security research conducted within scope
- Treat your report confidentially until coordinated disclosure
- Recognize your contribution publicly if you wish
Please act in good faith — only test against your own accounts, don't access or modify other users' data, and let us know promptly if you accidentally do.
What we don't have
We're a small studio (6 people). We don't currently run a paid bug bounty program, we don't have a SOC 2 audit, and we don't have a dedicated security team. We do read every report and we fix what we find.
If you're evaluating us as an enterprise vendor and need formal security certifications, we're not the right fit yet. For everyone else — solo developers, agencies, small teams — we believe transparent disclosure and fast fixes matter more than badges.