Vulnerability disclosure
Good-faith security reporting boundaries
Security reporting guidance without exposing internal endpoints, credentials, infrastructure names, or an unapproved bounty promise.
Effective date: June 25, 2026
Browser security headers
Production HTML responses receive strict browser security headers, including frame protection, same-origin protections, request IDs, and controlled CSP behavior.
Evidence: src/proxy.ts and browser security tests enforce the browser-security boundary.
Public production source maps are not served
The production build disables browser source maps and prunes public source-map files after build.
Evidence: next.config.mjs disables productionBrowserSourceMaps; scripts/build-and-prune.mjs runs scripts/prune-public-source-maps.mjs.
Safe outage surfaces
Error and outage surfaces show safe recovery guidance and request IDs without exposing protected readiness, infrastructure topology, internal storage names, scanner names, or backend internals.
Evidence: Global and locale error pages render safe request IDs; BFF route handlers return sanitized backend-unavailable envelopes.
Backup and restore commitments
Public backup and restore commitments require approved deployment input before publication.
Evidence: No approved public RPO, RTO, backup region, or restore-drill claim is checked into the frontend.
No public certifications claimed
No SOC 2, ISO 27001, penetration-test, insurance, SLA, uptime, or audit-certification claim is published unless approved evidence is supplied.
Evidence: Trust-content scan rejects fake certification and uptime language.
Good-faith security reporting boundaries
A public security contact is required before production launch. Until it is approved, this page documents safe reporting boundaries without inventing a contact.
- Good-faith reports about DueBid public web, account, upload, report-delivery, and billing surfaces are in scope once a public security contact is approved.
- Do not perform destructive testing, persistence, social engineering, spam, denial-of-service, data exfiltration, or testing against customer data.
- Do not publicly disclose active vulnerabilities before DueBid has investigated and remediated the issue.
No public bug bounty is offered unless an approved bounty program is published.