Security disclosure policy

How to report

Email hello@reefcalcs.com with as much detail as you can: the URL, the issue, the impact, and reproduction steps. Screenshots and short videos are welcome. Plain text email is fine — no need to encrypt.

Per RFC 9116, the machine-readable version of this policy lives at /.well-known/security.txt.

What we ask

• Give us a reasonable window — usually 30 days — to investigate and fix before public disclosure.
• Don't access, modify, or exfiltrate other users' data. reefcalcs doesn't actually collect user data (calculators are client-side), but this principle still matters.
• Don't run automated load tests, denial-of-service probes, or vulnerability scanners against the production site. If you need to do this, email first and we'll work out a window.
• Don't use findings for extortion. We're happy to credit researchers publicly (with permission); we don't currently run a paid bug bounty program.

Response time

We aim to acknowledge every report within five business days. For anything truly severe (RCE, data exposure, account takeover), we try to acknowledge same-day during US business hours.

What's in scope

• In scope: reefcalcs.com and all subdomains; calculator math errors that produce dangerous results; client-side XSS, CSRF, header injection; misconfigured CSP, CORS, or cookies; broken affiliate links that misdirect users.
• Out of scope: third-party services we link to (Amazon product pages, vendor sites we cite); SPF/DKIM/DMARC issues on email subdomains we don't actively send from; CSP nuances that are safe-by-design.