Security & Responsible Disclosure

Reporting a vulnerability

Email security@raekview.com. Include a clear reproduction, the affected URL or endpoint, and any relevant request/response data. We acknowledge within one business day and aim to triage HIGH and CRITICAL findings within 72 hours.

Scope

The following are in scope:

• raekview.com and all subdomains
• The RAEK View public API (/api/v1/*)
• The tracker script (/api/track/t.js) and its delivery
• Authentication, session handling, and OAuth integration flows
• Billing, subscription, and Stripe webhook flows
• The partner white-label system and sub-account isolation

The following are out of scope:

• Social engineering of RAEK View staff or customers
• Denial-of-service testing against production
• Automated scanning that generates excessive load
• Physical attacks on Vercel, Neon, Supabase, or Upstash facilities
• Issues that require physical access to a victim's device, or that require the victim to install malicious software
• Vulnerabilities in third-party services we depend on but don't control (please report those upstream)

What you can expect

• Acknowledgement within one business day
• Status update within 5 business days
• Public credit on this page (with your consent) for valid findings
• No legal action against researchers acting in good faith and within the scope above

We don't currently operate a paid bug bounty. If you'd like to be notified when one launches, mention that in your report and we'll add you to the list.

Machine-readable disclosure

See /.well-known/security.txt for the RFC 9116 metadata.