Responsible Disclosure Policy

How to report security vulnerabilities to RocketShare

We take the security of RocketShare and our users' data seriously. If you discover a security vulnerability, we appreciate your help in disclosing it to us responsibly.

Scope

The following are in scope for this policy:

  • rocketshare.app — the main web application
  • API endpoints under rocketshare.app
  • The client-side encryption implementation
  • Authentication and session management
  • Access control and authorization logic

How to report

Submit your findings through our contact form with the subject "Security Vulnerability Report". Please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact as you understand it
  • Any proof-of-concept code or screenshots (if applicable)
  • Your contact information for follow-up questions

What we ask

  • Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it
  • Do not access, modify, or delete other users' data during your research
  • Do not perform denial-of-service attacks or any testing that degrades the service for other users
  • Do not use automated scanning tools at scale against production systems — test manually or use a personal test account
  • Act in good faith — make a genuine effort to avoid privacy violations and disruption

What we promise

  • Acknowledgment within 48 hours — we will confirm receipt of your report within 2 business days
  • Regular updates — we will keep you informed of our progress as we investigate and fix the issue
  • Reasonable fix timeline — we aim to resolve confirmed vulnerabilities within 90 days, depending on complexity
  • Credit — with your permission, we will credit you as the reporter when we disclose the fix
  • No legal action — we will not pursue legal action against researchers who follow this policy in good faith

No financial rewards

At this time, we do not offer financial rewards (bug bounties) for vulnerability reports. We do offer public credit and our sincere gratitude for helping keep RocketShare secure.

Out of scope

The following are not considered vulnerabilities under this policy:

  • Social engineering — phishing or pretexting attacks against our team or users
  • Denial of service (DoS/DDoS) — volumetric attacks or resource exhaustion
  • Third-party services — vulnerabilities in services we use but do not control (e.g., Cloudflare, payment processors)
  • Self-XSS — issues that require the victim to paste code into their browser console
  • Missing security headers on non-sensitive pages — unless they lead to a demonstrable exploit
  • Rate limiting — absence of rate limiting on non-critical endpoints
  • Software version disclosure — server or framework version information in headers or responses
  • Content spoofing — without a demonstrated security impact

This policy is effective as of February 2026. For questions about this policy, contact us.