Security
Storehouses Vulnerability Disclosure Program
Storehouses is committed to protecting customer data and maintaining a secure, privacy-first platform for managing high-value physical assets. We welcome good-faith reports from security researchers, customers, and the broader community.
A responsible disclosure program — not a guaranteed paid bounty
- This is a responsible vulnerability disclosure program.
- Storehouses does not currently operate a guaranteed cash bug bounty program.
- Valid, high-impact reports may be eligible for discretionary non-cash rewards.
- Rewards may include free months of access, account credits, plan discounts, or public recognition.
- Rewards are not guaranteed and are determined by Storehouses at its discretion.
01 — Overview
Good-faith research, responsibly disclosed.
Storehouses welcomes responsible reports of security issues from researchers, customers, and the broader community. Our goal is to work with the security community to identify and remediate vulnerabilities that could put customer data or platform integrity at risk.
When researching, we ask that you avoid privacy violations, data destruction, data exfiltration, service disruption, and public disclosure before remediation. The protections in this policy depend on good-faith conduct within the scope below.
02 — How to Report
Send reports to a single, monitored inbox.
Security inbox
All reports are reviewed by the Storehouses security team. Please send one issue per email when possible.
Response targets
- Acknowledgement
- Within 3 business days
- Initial triage
- Within 10 business days
Required report details
- Affected URL, endpoint, or feature
- Description of the issue
- Steps to reproduce
- Potential impact
- Screenshots or proof of concept, where safe to share
- Your contact information
03 — In Scope
What we want to hear about
- storehouses.app
- app.storehouses.app
- Storehouses-owned API endpoints
- Storehouses-owned web application functionality
- Authentication and authorization issues
- Broken access control
- IDOR and object-level authorization issues
- Privilege escalation
- Exposure of non-public data
- Serious file upload vulnerabilities
- Exposed secrets or credentials
- Serious API security issues
- Server-side request forgery (SSRF)
- SQL injection or command injection
- Cross-site scripting with meaningful security impact
04 — Out of Scope
What's not covered
- Denial-of-service or stress testing
- Spam, phishing, social engineering, or physical attacks
- Attacks against employees, customers, vendors, or third parties
- Testing third-party services directly, including Stripe, Supabase, Vercel, Google, Apple, Vanta, or other vendors
- Automated scanning that degrades service
- Accessing, downloading, modifying, or deleting customer data
- Brute force attacks
- Creating persistence, malware, or backdoors
- Public disclosure before Storehouses has remediated the issue
- Reports with no practical security impact
- Missing security headers without exploitability
- Clickjacking without sensitive impact
- Self-XSS
- Rate-limit findings without demonstrated risk
05 — Safe Harbor
Research in good faith is protected.
If you conduct good-faith security research within this policy, avoid privacy violations, do not destroy or exfiltrate data, and report vulnerabilities responsibly, Storehouses will not pursue legal action against you for that research.
06 — Rewards
Discretionary, non-cash recognition.
Valid, high-impact reports may be eligible for the following discretionary, non-cash rewards. Severity is determined by Storehouses based on practical impact and reproducibility.
| Severity | Potential reward |
|---|---|
| Critical | 12 months of Premium access, equivalent account credit, or public recognition |
| High | 6 months of Premium access, equivalent account credit, or public recognition |
| Medium | 3 months of Premium access, account discount, or public recognition |
| Low / Informational | Thanks or recognition only |
Disclaimer. Rewards are discretionary, non-cash, not guaranteed, and may depend on report quality, impact, reproducibility, and whether the issue was previously known.
07 — Responsible Disclosure
Give us time to remediate.
We ask researchers not to publicly disclose any reported issue until Storehouses has had a reasonable opportunity to investigate, validate, and remediate it. If you intend to publish a write-up after remediation, please coordinate timing with us in advance — we're happy to credit your work.
Report a vulnerability
Found something? Tell us.
One inbox, monitored by the Storehouses security team. We acknowledge every good-faith report.