Security disclosure policy

Istadi welcomes security research. This page is the single source of truth for how to reach us responsibly. The machine-readable mirror lives at /.well-known/security.txt.

Reporting

Send the issue privately to security@istadi.com. Encrypted email is preferred — our PGP key is available on request.

Please include:

• A short proof of concept or steps to reproduce.
• The Istadi route, query string, and request method.
• The browser / client version you used.
• Your handle if you want public credit.

Scope

In scope:

• Authentication, authorization, and session handling.
• Cross-site scripting, CSRF, SSRF.
• Insecure direct object references on user-owned data.
• Information disclosure of email, chat, or roommate data.

Out of scope:

• Findings on third-party systems we link to (operator sites, OSM tiles).
• Volumetric DDoS — please report to our hosting provider directly.
• Reports requiring physical access or social engineering.

Safe harbour

We will not pursue legal action against researchers who follow this policy in good faith, do not access more data than required to demonstrate the issue, and give us a reasonable window (90 days) to fix before public disclosure.

Hall of fame

No reports yet — be the first.