Vulnerability disclosure

Good-faith security reporting boundaries

Security reporting guidance without exposing internal endpoints, credentials, infrastructure names, or an unapproved bounty promise.

Effective date: June 25, 2026

Verified technical controlSecurity controls

Browser security headers

Production HTML responses receive strict browser security headers, including frame protection, same-origin protections, request IDs, and controlled CSP behavior.

Evidence: src/proxy.ts and browser security tests enforce the browser-security boundary.

Verified technical controlOperations

Public production source maps are not served

The production build disables browser source maps and prunes public source-map files after build.

Evidence: next.config.mjs disables productionBrowserSourceMaps; scripts/build-and-prune.mjs runs scripts/prune-public-source-maps.mjs.

Verified technical controlOperations

Safe outage surfaces

Error and outage surfaces show safe recovery guidance and request IDs without exposing protected readiness, infrastructure topology, internal storage names, scanner names, or backend internals.

Evidence: Global and locale error pages render safe request IDs; BFF route handlers return sanitized backend-unavailable envelopes.

Not configured for launchOperations

Backup and restore commitments

Public backup and restore commitments require approved deployment input before publication.

Evidence: No approved public RPO, RTO, backup region, or restore-drill claim is checked into the frontend.

Not configured for launchOperations

No public certifications claimed

No SOC 2, ISO 27001, penetration-test, insurance, SLA, uptime, or audit-certification claim is published unless approved evidence is supplied.

Evidence: Trust-content scan rejects fake certification and uptime language.

Good-faith security reporting boundaries

A public security contact is required before production launch. Until it is approved, this page documents safe reporting boundaries without inventing a contact.

  • Good-faith reports about DueBid public web, account, upload, report-delivery, and billing surfaces are in scope once a public security contact is approved.
  • Do not perform destructive testing, persistence, social engineering, spam, denial-of-service, data exfiltration, or testing against customer data.
  • Do not publicly disclose active vulnerabilities before DueBid has investigated and remediated the issue.

No public bug bounty is offered unless an approved bounty program is published.