Security policy.

One inbox, one human, one promise to reply.

Email security@heatcord.com. That mailbox is monitored by Heatcord (founder) directly. We acknowledge every legitimate report inside 72 hours. If you haven't heard back in 72 hours, your email landed in spam, please follow up via /contact.html with the subject line "Security: [your original subject]".

Include in your report:

• The URL, parameter, or component affected (be specific: app.webinly.com/api/livekit/token is useful; "the app" is not).
• Reproduction steps. A curl command, a screenshot, a short video, whatever shows the issue.
• The impact you believe this has. What can an attacker do, with what privilege level?
• Your name or handle (for acknowledgement) and how you'd like to be credited.

What's in. What's out.

In scope:

• heatcord.com (this marketing site)
• app.webinly.com (the application)
• *.heatcord.com (any subdomain we publish)
• Public APIs at app.webinly.com/api/*

Out of scope: issues with third-party services we use, Verpex (hosting this marketing site), Cloudflare (DNS), Vercel (app hosting), Supabase (storage + auth), Neon (database), LiveKit (real-time video), Stripe (payments), Resend (email). If you find an issue with one of those, please report it to the vendor directly and copy us if it affects Heatcord users. We'll help triage.

Also out of scope (please don't report these):

• Missing security headers that don't lead to a concrete attack (CSP, HSTS, etc., we know, we're working on a hardening pass).
• Self-XSS or attacks requiring the victim to paste code into their own browser console.
• DNS misconfigurations on parked subdomains (we'll fix when noticed; not a vulnerability).
• Email spoofing via SPF/DKIM gaps on non-mail subdomains.
• Reports from automated scanners with no manual validation.
• Social engineering against staff, customers, or contractors.
• Physical attacks on offices, infrastructure, or personnel.
• Denial-of-service or load-testing without explicit prior written consent.

The deal we make with researchers.

• Acknowledgement within 72 hours. A human reads every report.
• Initial triage within 7 days. We tell you whether we've reproduced the issue, what severity we've assigned, and a rough timeline.
• Fix or mitigation timeline based on severity. Critical: under 7 days. High: under 30 days. Medium / Low: best effort, communicated.
• Credit, if you want it. We maintain a researcher acknowledgement section (see below) and will credit you with the name or handle you provide.
• No legal action against you for good-faith research under the safe-harbour terms below.
• No bug bounty (yet). Heatcord is pre-revenue at scale and we can't responsibly fund a paid program right now. We'll send a personal thank-you, swag where shipping permits, and credit. When we launch a paid program, we'll announce it here.

Good-faith research is welcome.

If you act in good faith, follow this policy, and report a vulnerability to us before disclosing it publicly:

• We will not pursue legal action against you under the Computer Misuse Act 1990 (UK) or analogous statutes.
• We consider your activity authorised under our terms of service.
• We will work with you on coordinated disclosure timing.

This safe harbour does not apply if you: extract or copy customer data beyond what's needed to demonstrate the vulnerability; modify, delete, or destroy customer data; degrade service for other users; share unpublished vulnerability details with third parties before our fix ships; or violate any other applicable law.

Please don't publish before we've fixed it.

We ask for 90 days from initial report to public disclosure, or until a fix has shipped to production, whichever comes first. If we need longer, we'll explain why and propose a timeline. If 90 days passes and we haven't fixed or communicated meaningfully, you're free to publish.

We're happy to be credited in your write-up. We'd appreciate a heads-up 48 hours before publication so we can prepare a statement if needed.

Researchers who've helped.

This section lists security researchers who have responsibly disclosed vulnerabilities to Heatcord. If you've reported an issue and want to be credited, let us know your preferred name/handle.

No researchers credited yet, be the first.

If you need to encrypt the report.

For sensitive reports, request our PGP public key by emailing security@heatcord.com with the subject "PGP key request". We'll reply with the key fingerprint and the full key. We do not yet publish a PGP key in the security.txt file, sending an unencrypted "please send key" email is fine, since the request itself contains no sensitive data.

This policy will change.

The current version was last reviewed on May 20, 2026. We expect to update it as Heatcord grows. Material changes will be noted at the top of this page. The matching machine-readable file lives at /.well-known/security.txt and expires May 4, 2027.