Security & Responsible Disclosure

Last updated: 2026-05-17

We take security seriously and welcome reports from researchers and users. This page describes how to report a vulnerability and what to expect from us.

How to report

Email security@nodegoals.com with:

• A description of the issue and its potential impact.
• Steps to reproduce (URL, payload, screenshots, video, or PoC).
• Your name or handle if you want acknowledgement.

Please do not open a public GitHub issue or post on social media before we've had a chance to investigate.

What's in scope

• nodegoals.com and any deployment we operate (Vercel preview URLs, staging environments).
• Our Vercel serverless functions under /api/*.
• Our Supabase project (data leak, RLS bypass, auth issue).

What's out of scope

• Vulnerabilities in third-party services (Supabase, Vercel, Stripe, OpenAI, Anthropic, Google, Microsoft, Resend) — report those to the vendor.
• Self-XSS that requires the user to paste content into their own browser console.
• Reports based solely on outdated dependency scanners without proof of exploit.
• Spam / brute-force / rate-limit testing — we already rate-limit.
• Missing security headers without a concrete attack path.
• Volumetric attacks (DDoS) — these are infrastructure-level and handled by our hosting provider.

What we ask

• Do not exfiltrate or modify data belonging to other users. If you can read one row through a flaw, that's enough to demonstrate impact.
• Do not perform automated scans that significantly disrupt the service.
• Give us reasonable time to fix before public disclosure (we aim to triage within 72 hours and resolve high-severity issues within 30 days).
• Do not extort or threaten public release; we'll work with you in good faith.

Safe harbor

Acknowledgements

We don't currently run a paid bug bounty, but we credit researchers (with permission) in this section after fixes ship.

Contact

Security: security@nodegoals.com

General: support@nodegoals.com