Security & responsible disclosure
We build a product that audits people's online security. Ours is held to the same bar — and reports about it are taken seriously and handled with care.
TL;DR — Found something? Email security@secbird.io. Good-faith research is welcome and protected (safe harbor below). We acknowledge within 3 business days, keep you updated, and credit you if you'd like. No bug bounty yet — we're bootstrapped — but never anything less than thanks.
How to report
Email security@secbird.io with:
- What you found and where (URL, endpoint, or file).
- Steps to reproduce it.
- What an attacker could do with it.
Plain language, proof-of-concept over polish. Encrypted mail is welcome (PGP key linked from our security.txt) but not required.
What to expect
- Acknowledgement within 3 business days (faster if it's live).
- A status update at least every 7 days until it's resolved.
- Credit on our thanks page if you want it — tell us the name to use.
- A coordinated disclosure timeline: 90 days by default, or sooner by agreement.
Safe harbor
We will not pursue legal action for good-faith security research that:
- stays within your own accounts and test data — never anyone else's,
- avoids privacy violations, data destruction, and service degradation,
- gives us reasonable time to fix before public disclosure.
If you're unsure whether something is in bounds, ask first — we'd rather help you research safely than warn you off.
Scope
In scope: the app and this site (secbird.io), and the API behind them.
Out of scope: volumetric denial-of-service, social engineering of the team, physical attacks, and the third-party services we integrate with (report those to the vendor — we'll help route it). Findings that require an already-compromised device or a defeated browser aren't issues in our product.
Machine-readable
/.well-known/security.txt (RFC 9116) — the canonical contact + policy pointer, on both the app and this site.