vøiddo
VØIDDO · TRUST

security policy

If you've found a vulnerability, we want to hear from you. This page is our public commitment to how we handle security reports.

How to report

Email support@voiddo.com with the subject line "Security vulnerability report". One human reads that inbox.

Please include:

  • What product or domain is affected (scrb, rankd, voiddo.com, browser extension, etc.)
  • Steps to reproduce — the simpler, the faster we fix it
  • Your assessment of impact and any proof-of-concept code or screenshots
  • Your handle if you'd like credit when we publish a fix

Our response

  • Initial reply: within 48 hours during weekdays.
  • Triage: we'll confirm reproducibility and assign a severity within 5 business days.
  • Fix timeline: critical issues are patched within 7 days. Medium severity within 30. Low severity batched into normal release cycles.
  • Disclosure: coordinated disclosure preferred. We'll credit reporters in our release notes unless asked otherwise.

Scope

In scope:

  • voiddo.com and all *.voiddo.com subdomains
  • Browser extensions we publish (scrb, rankd, jobmeta, pricepulse, randumb, tabsnap, jsonyo, tokcount, interviewprep)
  • npm packages under the @v0idd0 scope
  • Mobile apps we publish (Void Factory, others)

Out of scope:

  • Third-party services (Paddle billing, Cloudflare, Google APIs) — report directly to those vendors
  • Social engineering against staff
  • Physical attacks against our infrastructure
  • Denial-of-service via traffic flooding
  • Self-XSS without an external attack vector
  • Spam or phishing originating from external senders

Safe harbor

If you make a good-faith effort to comply with this policy, we will not pursue legal action against you, even if your testing inadvertently violates other terms. Specifically, we agree to:

  • Not pursue civil or criminal action for security research conducted within scope
  • Treat your report confidentially until coordinated disclosure
  • Recognize your contribution publicly if you wish

Please act in good faith — only test against your own accounts, don't access or modify other users' data, and let us know promptly if you accidentally do.

What we don't have

We're a small studio (6 people). We don't currently run a paid bug bounty program, we don't have a SOC 2 audit, and we don't have a dedicated security team. We do read every report and we fix what we find.

If you're evaluating us as an enterprise vendor and need formal security certifications, we're not the right fit yet. For everyone else — independent developers, agencies, small teams — we believe transparent disclosure and fast fixes matter more than badges.

Machine-readable

Our security.txt is at /.well-known/security.txt per RFC 9116.

Contact: support@voiddo.com
Subject line: "Security vulnerability report"
Languages: English, Russian