Security and Responsible Disclosure Policy
Effective date: July 15, 2026 · Version 1.0
1. Security principles
StableDeliver is designed so that buyer funds move directly to seller-controlled wallet addresses. StableDeliver does not require private keys or seed phrases. We use security controls intended to protect accounts, tenant data, fulfilment materials, APIs, and webhooks — including tenant isolation, server-side sessions, single-use authentication links, CSRF protection, rate limiting, and encrypted delivery-secret storage.
No system is perfectly secure. This page describes reporting and testing rules; it is not a warranty or certification.
2. Reporting a vulnerability
Send reports to [email protected] with the subject line "Security report". Include the affected URL or component, vulnerability type, reproducible steps, impact, relevant logs or screenshots, and a safe method to contact you.
Do not include personal data, private keys, seed phrases, live customer secrets, or unnecessary exploit data.
3. Authorised research conditions
- Use your own accounts, test mode, and data. Do not access or alter another user's account, files, orders, licence keys, or wallet information.
- Stop immediately if you encounter personal data, secrets, or evidence of active compromise, and report it.
- Do not conduct denial-of-service, high-volume automated scanning, social engineering, physical attacks, malware deployment, spam, or attacks on third-party providers.
- Do not initiate real blockchain transfers unless using your own wallets and amounts necessary for a safe test.
- Do not publicly disclose a vulnerability before StableDeliver has had a reasonable opportunity to investigate and remediate.
- Comply with law and avoid privacy, service, or financial harm.
4. Our response
We aim to acknowledge good-faith reports within 3 business days and provide status updates where practicable. These are targets, not contractual service levels. We may request additional information or decide that a report is out of scope, duplicate, low impact, or not reproducible.
5. Safe-harbour statement
Where a researcher makes a good-faith effort to comply with this policy, StableDeliver will not initiate legal action solely for the authorised security research. This statement does not bind third parties or authorities and does not protect conduct that causes harm, exceeds the policy, or violates law.
6. Rewards
StableDeliver does not promise a bounty or payment unless a written reward programme is published or agreed in advance. Recognition or compensation is at StableDeliver's discretion and may require identity, sanctions, tax, and eligibility checks.