subforge — Security & Responsible Disclosure Policy
Last updated: 16 June 2026
We take the security of subforge and our users' data seriously, and we run the platform with discipline — monitoring, alerting, locked-down secrets, and automated deploys. Security researchers are an important part of keeping it safe, and we welcome good-faith reports.
Reporting a vulnerability
Please email [email protected] with:
- a description of the issue and where you found it;
- steps to reproduce, or a proof-of-concept; and
- the potential impact as you see it.
We will acknowledge your report, investigate, keep you updated on progress, and let you know when it's resolved. We're a small team, so please allow reasonable time to respond and fix.
Safe-harbour / rules of engagement
If you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you for your research. In return, please:
- Do test only against your own accounts and data, or accounts you have explicit permission to test.
- Do give us a reasonable opportunity to fix an issue before disclosing it publicly (coordinated disclosure).
- Do not access, modify, or delete other users' data; degrade the Service (no denial-of-service or volumetric testing); use social engineering or physical attacks; or run automated scanning that disrupts the Service or other users.
- Do not publicly disclose details until we've had a chance to remediate and agreed timing with you.
This policy operates alongside the Acceptable Use Policy: authorised, good-faith research under this policy is not a breach of the AUP.
Scope
In scope: the subforge web application and API at subforge.sh. Out of scope: third-party services we rely on (report those to the relevant provider), and findings that require physical access or compromised user devices.
Rewards
We don't currently run a paid bug-bounty programme, but we're grateful for reports and happy to credit researchers (with your permission) once an issue is fixed.
Contact
Security reports: [email protected]