Responsible disclosure

Email support@psychpod.org with:

• A clear description of the issue
• Steps to reproduce, or a proof-of-concept (no live exploitation)
• The platform and version where you found it (iOS / Android / website)
• Your name and contact details, if you want acknowledgement

Encrypt the report with our PGP key on request. We do not run a paid bug-bounty programme yet, but we are happy to credit you publicly with your permission.

• Acknowledgement within 72 hours. A real human reads every report.
• An honest assessment. If the issue is critical we tell you so. If it isn't a security issue, we explain why.
• Status updates as we triage, fix, and ship the patch.
• Coordinated disclosure. Hold off on public details until the fix is live; we'll work with you on timing.
• No legal threats for good-faith research that follows the boundaries below.

• No live data. Test only against your own account. Don't access, modify, or exfiltrate other users' check-in data, journals, voice notes, messages, or any personal data.
• No service disruption. Don't run denial-of-service, brute-force authentication, or destructive testing.
• Coordinated disclosure. Give us a reasonable window to fix before publishing details.
• One reporter per finding. If multiple researchers report the same issue, we credit the first clear, reproducible report.

• Issues in third-party services PsychPod depends on (Supabase, Apple, Google, Vercel, Sentry). Report those to the vendor directly.
• Theoretical issues without a working proof-of-concept
• Self-XSS, clickjacking on pages without sensitive actions, missing security headers without exploit
• Social engineering of PsychPod staff or users
• Findings from automated scanners without manual verification

For privacy-specific concerns, rights requests, data-handling questions, NDPO/PDPPL-related enquiries, email support@psychpod.org. That alias is read by the same person but is tracked in our rights-handling queue with a 30-day response SLA.