Responsible Disclosure Policy
Last updated: May 20, 2026
Sevastack does not currently operate a paid bug bounty program. We do welcome responsible disclosure of security vulnerabilities.
1. Scope
This policy applies to the following:
- sevastack.in — main platform and dashboard
- API endpoints — all /api/* routes
- Donor-facing pages — /donate/*, /campaigns/*
Third-party services (Razorpay, AWS, Resend, Vercel infrastructure) are out of scope. Report those directly to the respective vendor.
2. How to report
Email your findings to with the subject line Security Disclosure — [brief description].
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your suggested fix (optional)
3. What to expect
- Acknowledgement within 3 business days
- Assessment within 10 business days
- We will keep you informed of progress on confirmed vulnerabilities
- Credit in our changelog for valid, responsibly disclosed reports (if you wish)
4. Our commitments
- We will not take legal action against researchers who follow this policy
- We will treat your report confidentially
- We will not share your personal information without your consent
5. Out of scope
The following are not eligible for disclosure:
- Denial of service attacks
- Social engineering or phishing attacks against our team
- Spam or email flooding
- Issues requiring physical access to a device
- Automated scan results without proof of exploitability
6. Contact
Security reports:
For general support, visit our contact page.