Security

JobScout security policy

Report a vulnerability

Email security@jobscout-hq.com (or cory.salisbury@gmail.com) with a clear writeup. Plain text is fine. We acknowledge within 48 hours and triage within 7 days.

Give us 60 days to fix before public disclosure.
Don't access other users' data beyond what's needed to demonstrate the issue.
Don't run automated scanners against production at scale. Manual probing + a small set of test accounts is fine.
Don't pivot a finding into broader access — if you found a way in, stop and report.

Good-faith research = safe harbor. We won't pursue legal action against researchers acting within this policy.
We acknowledge every credible report and credit researchers (with permission) in our changelog.
For high-severity findings (RCE, auth bypass, mass-PII exposure) we offer a thank-you bounty. Email us for details.
We share our remediation timeline and ship a fix or a documented mitigation within 30 days for high-severity issues.

Vulnerabilities in third-party services we depend on (Firebase Auth, Stripe, Anthropic, Cloudflare, Google Cloud) — please report those to the vendor directly.
Self-XSS or social-engineering attacks that require already-compromised user accounts.
Reports based solely on missing security headers without a demonstrated attack path.
Denial-of-service or volumetric attacks.
Vulnerabilities in our marketing pages that don't expose authenticated data.

HTTPS everywhere with Google-managed certificates and HSTS.
Session cookies are HttpOnly + Secure + SameSite=Lax. CSRF mitigated by SameSite + same-origin checks on mutating endpoints.
Authentication via Firebase Auth with session-cookie verification on every request.
Multi-tenant data isolation enforced at the data-access layer — every read/write requires the session UID.
Stripe webhook signatures verified before any mutation.
Secrets stored in Google Cloud Run env, never in source.
Daily backups via Firestore point-in-time recovery.