Security policy

RoadSeal welcomes good-faith security research. This page describes how to report a vulnerability and what's in scope.

Scope

• roadseal.co and all subdomains
• roadseal.pages.dev (preview environment)
• The Supabase Edge Functions hosted under our project
• The /admin/* surface area (please report — do not actively exploit)

Out of scope

• Third-party services we use (Supabase, Stripe, SendGrid, Cloudflare). Please report those directly to the vendor.
• Self-XSS or attacks requiring physical access to a user's device.
• Reports based solely on automated scanner output without a working proof-of-concept.
• Best-practice complaints with no impact (e.g. missing security headers on static marketing pages).
• Denial-of-service requiring saturated network resources.

What we ask

• Give us reasonable time (usually 30–90 days) to fix before public disclosure.
• Don't access more user data than necessary to demonstrate the issue.
• Don't extract, retain, or share any customer data you encounter.
• Avoid social engineering against staff and customers.

What we'll do

• Acknowledge your report within 3 business days.
• Triage and respond with a fix timeline within 10 business days.
• Credit you publicly with your permission.
• We don't currently pay bounties, but that may change as the company grows.

Safe harbour

If you act in good faith and follow this policy, RoadSeal won't pursue legal action against you for activities consistent with the scope and conditions above.

Out-of-band reporting

If the issue is critical and you can't reach security@roadseal.co, please copy support@roadseal.co with the subject line "SECURITY: please escalate".