Security

Security disclosure policy

Good-faith researchers: we want your reports. This page spells out how to send one, what we cover, and what safe harbor we grant.

Last updated: 2026-04-17 · machine-readable: /.well-known/security.txt

Report a vulnerability

Email security@supplierspy.com. Include:

  • A clear title and severity estimate (CVSS optional but welcome).
  • Steps to reproduce, ideally with a minimal proof-of-concept URL or script.
  • Impact — what an attacker could do with this bug.
  • Your preferred attribution name for the acknowledgments section.

PGP: not yet published. When we publish a key, it will be linked from /.well-known/security.txt and fingerprinted below.

Scope

In scope:

  • The Cloudflare Worker serving supplierspy.com.
  • The R2 archive backing /snapshots/<date>.json.
  • The KV snapshots (leaderboard:current, leaderboard:history).
  • The signed snapshot chain and JWKS at /.well-known/jwks.json.
  • The API endpoints under /api/*.

Out of scope:

  • Third-party supplier websites we link to — those are someone else's responsibility.
  • Cloudflare's own infrastructure (report those to Cloudflare directly).
  • Rate-limit / denial-of-service findings that consist only of "I sent many requests" — those belong to Cloudflare's edge.
  • Social-engineering the operator, or findings that require physical access.

Safe harbor

We will not pursue legal action against good-faith researchers who follow this policy. That includes:

  • No DMCA claims over research that temporarily stored our content to demonstrate a bug.
  • No CFAA-style claims over authorization boundaries you crossed while testing in scope.
  • No GDPR/privacy claims over incidental data you encountered while proving an issue, provided you did not exfiltrate it further.

If a third party (e.g. a hosting provider) brings legal action against a researcher for following this policy, we will make a good-faith public statement of the authorization we granted.

What we ask

  • Do not exfiltrate data beyond what's needed to prove the issue. A single record, redacted, is enough.
  • Give us 90 days from report-acknowledgment before public disclosure. Coordinated disclosure timelines can be negotiated; silent dumps cannot.
  • Do not degrade service for other users — no stress testing, no destructive probes against shared resources.
  • Do not pivot from a finding into unauthorized access of user data or third-party systems.

Response SLA

  • Acknowledgment: within 48 hours.
  • Triage decision: within 7 days.
  • Remediation for high-severity issues: within 30 days.
  • Public write-up or acknowledgment (with your name if you want credit): after the fix ships.

What we've signed

Every leaderboard snapshot is signed with ECDSA P-256 (algorithm ES256) before being archived.

  • Algorithm: ECDSA over curve P-256 with SHA-256.
  • Fingerprint: sha256:5fb9669f3c1e42637b55204dfc98ab79
  • Public key (JWKS): /.well-known/jwks.json

Signed publication chain

Every snapshot is archived at /snapshots/<date>.json with a companion signature file at /snapshots/<date>.json.sig. A browser-side verifier is available at /snapshots/<date>.json.verify.

The full archive index is at /snapshots. Any tampering with a published snapshot will cause its signature verification to fail.

See also

/.well-known/security.txt · /.well-known/trust.txt · /.well-known/jwks.json · /snapshots · /trust.