Security

security policy & bug bounty

storyflo treats security reports as a first-class signal. The faster a real-world researcher finds an issue, the faster every listener and publisher on the platform is safer. This page is the canonical source — quote it in any disclosure correspondence.

reporting a vulnerability

Pick whichever channel is easier for you. Email is preferred.

email — security@storyflo.com with subject prefix SECURITY: + brief title
GitHub Advisory — open a private advisory
security.txt — /.well-known/security.txt (RFC 9116)

Please do not disclose publicly until we've confirmed a fix is live on production.

response SLA

stage	target
initial human acknowledgement	24 hours (09:00–18:00 PT, Mon–Fri)
triage outcome	3 business days
critical fix (RCE, full-DB read, auth bypass)	7 days
high fix (privilege escalation, data leak)	30 days
medium / low fix	90 days

Critical reports outside business hours route to on-call via Telegram and are still acknowledged within 24h.

safe harbor

We won't pursue legal action against good-faith research that:

stays within the scope below;
does not access, modify, or delete data belonging to other listeners or publishers (other than your own test accounts);
does not degrade availability — no DoS, no resource-exhaustion "tests";
reports privately and gives us reasonable time to fix before disclosing publicly.

If a finding requires you to bend rule (2) to demonstrate impact, stop and email us first — we'll grant explicit written permission for the specific demonstration.

scope

in scope

production deployments at storyflo.com and readout-fm-deploy-2026.fly.dev
source in Alisammour/storyflo, Alisammour/storyflo-inference, and Alisammour/storyflo-sdk
listener / publisher tokens read from localStorage exposed beyond the intended page boundary
the embed iframe widget at /embed/article/[slug] — CSP allows any frame ancestor by design; report ways to escape that boundary
wallet integrations (RainbowKit, Circle Programmable Wallets) that could leak addresses, sign unintended payloads, or bypass user consent
BYO-TTS encrypted-key storage + retrieval (Fernet-encrypted listener API keys at rest)
per-listener private RSS feeds — each listener's token IS their credential; cross-tenant leaks are top-priority
Postmark inbound + outbound — spoofing or abuse

out of scope

No bounty, won't be acknowledged as findings:

public identifiers intentionally embedded in the client bundle (WalletConnect Project ID, Reown Project ID, Circle public token IDs)
the hardcoded inference URL fallback in lib/env.ts
self-XSS via the user pasting payloads into their own browser
missing security headers on assets that don't carry user state — tracked as polish, not vulns
denial-of-service / resource-exhaustion tests (already excluded by safe harbor)
automated-scanner dumps with no proof-of-impact (Nessus / Acunetix / Burp without analysis)

reward / acknowledgement

We do not currently run a paid bug-bounty program. We commit to:

public credit in the security advisory + thank-you in our changelog for any valid finding (pseudonymous OK)
discretionary swag (storyflo brand kit) for the first 25 valid reports
paid program commitment within 6 months of public launch — researchers who report during the pre-bounty window will be retroactively rewarded for valid critical / high findings

hall of fame

(empty — be the first)

Code is BSL 1.1 (storyflo, storyflo-inference) or MIT (storyflo-sdk). Reports themselves carry no license obligation. See terms + privacy.