Skip to content

Security & responsible disclosure

We build a product that audits people's online security. Ours is held to the same bar — and reports about it are taken seriously and handled with care.

TL;DR — Found something? Email security@secbird.io. Good-faith research is welcome and protected (safe harbor below). We acknowledge within 3 business days, keep you updated, and credit you if you'd like. No bug bounty yet — we're bootstrapped — but never anything less than thanks.

How to report

Email security@secbird.io with:

  • What you found and where (URL, endpoint, or file).
  • Steps to reproduce it.
  • What an attacker could do with it.

Plain language, proof-of-concept over polish. Encrypted mail is welcome (PGP key linked from our security.txt) but not required.

What to expect

  • Acknowledgement within 3 business days (faster if it's live).
  • A status update at least every 7 days until it's resolved.
  • Credit on our thanks page if you want it — tell us the name to use.
  • A coordinated disclosure timeline: 90 days by default, or sooner by agreement.

Safe harbor

We will not pursue legal action for good-faith security research that:

  • stays within your own accounts and test data — never anyone else's,
  • avoids privacy violations, data destruction, and service degradation,
  • gives us reasonable time to fix before public disclosure.

If you're unsure whether something is in bounds, ask first — we'd rather help you research safely than warn you off.

Scope

In scope: the app and this site (secbird.io), and the API behind them.

Out of scope: volumetric denial-of-service, social engineering of the team, physical attacks, and the third-party services we integrate with (report those to the vendor — we'll help route it). Findings that require an already-compromised device or a defeated browser aren't issues in our product.

Machine-readable

/.well-known/security.txt (RFC 9116) — the canonical contact + policy pointer, on both the app and this site.