Responsible Disclosure Program

Security is a feature, not a layer.

We welcome good-faith security research. This page outlines our responsible disclosure policy, scope, rules of engagement, and safe harbor.

Policy Scope Safe Harbor Report now

Responsible Disclosure Policy

If you believe you’ve found a security vulnerability in any FASTNAT asset, please let us know immediately. We will work with you to resolve the issue quickly and responsibly.

  • Make a good-faith effort to avoid privacy violations and service disruption.
  • Give us a reasonable time to remediate before public disclosure.
  • Do not access or modify data that isn’t yours.
  • Comply with applicable laws and the rules of engagement below.

In Scope

  • fastingnation.io (all subpages under https://fastingnation.io/)
  • Static site behavior, service worker (sw.js), and PWA configuration
  • Client-side storage (e.g., localStorage) and data exposure risks in the simulator

Out of Scope

  • Third-party platforms (CDNs, fonts, external video hosts) unless misconfiguration is within our control
  • Denial of Service, brute force on non-existent endpoints, or spam reports without evidence
  • UI/UX issues without security impact, missing rate limits on non-sensitive, static endpoints

Rules of Engagement

  • No data exfiltration or data destruction.
  • No privacy invasion or access to accounts other than your own.
  • No physical attacks, social engineering, or phishing of FASTNAT staff/users.
  • No traffic flooding or service disruption.
  • Coordinate timelines for any disclosure; we prefer 30–90 days depending on severity.

Safe Harbor

If you follow this policy and act in good faith, we will not pursue legal action against you for your research on in-scope systems. This safe harbor does not apply to actions that are unlawful or harmful (e.g., data theft, extortion, or disruption).

Response Targets

  • Acknowledgement: within 72 hours
  • Initial assessment: within 7 business days
  • Remediation plan: within 14–30 days depending on severity and scope

These are targets, not guarantees, but we strive to meet or exceed them.

How to Report

  1. Email us at security@fastingnation.io
  2. Optionally encrypt using our PGP key (see below)
  3. Include: affected URL(s), steps to reproduce, impact, and any proof-of-concept
  4. Provide a safe way for us to reproduce without accessing third-party data

Security.txt

We publish a machine-readable contact file:

View /.well-known/security.txt

PGP Public Key

Download our public key to encrypt sensitive reports.

⬇ publickey.asc

Recognition

We appreciate researchers who help keep users safe. With consent, we may add your name or handle to a future Hall-of-Fame.

No bounties at this time. We may introduce non-monetary rewards later.

Contact

security@fastingnation.io Press & media Latest release