Skip to content

Security

Reporting a vulnerability

If you've found something that looks like a security issue in ContentRX, please tell us before you tell anyone else. We'll work with you on a fix and a coordinated disclosure timeline.

How to report

Email security@contentrx.io. Include enough detail to reproduce: affected URL or surface, request shape, what you expected vs. what happened. A proof-of-concept is welcome but not required.

We'll acknowledge receipt within 2 business days and aim for a substantive response (triage, severity assessment, expected fix timeline) within 5 business days. Critical issues skip the queue.

Scope

The following surfaces are in scope for disclosure:

  • The web app at contentrx.io and its API endpoints (/api/*)
  • The PyPI packages contentrx-mcp, contentrx-lsp, and contentrx-cli
  • The GitHub Action distributed from the contentRX repository

Out of scope:

  • Third-party services we depend on (Stripe, Clerk, Supabase, Anthropic, Vercel, etc.). Please report those to the respective vendors' programs.
  • Issues that require physical access to a target's device.
  • Reports that boil down to “the rate limit is X req/min, that's configurable”. We welcome tuning suggestions but those aren't vulnerabilities.
  • Theoretical issues without a working proof-of-concept (e.g., outdated-library reports without an exploitable path).

Safe harbor

We will not pursue legal action against, or report to law enforcement, security researchers who:

  • Make a good-faith effort to avoid privacy violations, destruction of data, and degradation of service to other users.
  • Only test against accounts they own or have explicit permission to test.
  • Stop testing and submit a report as soon as a vulnerability is identified.
  • Don't exfiltrate, retain, or share data they encounter during testing.
  • Give us a reasonable window to fix before public disclosure (we typically agree on 90 days).

If you're unsure whether something is in scope or whether a test is OK, ask first. We'll respond with a plain answer.

What we don't offer

We don't currently run a paid bug-bounty program. We do credit researchers in our changelog when they request it, and we're happy to provide a written acknowledgment for your portfolio. If a bounty matters more than that, please look at programs from companies set up to run them at scale. We're a small team and disclosure quality matters more to us than payout volume.

Other ways to reach us

For non-security issues, the GitHub issue tracker is the right place. For privacy or data-handling questions, see the privacy policy or email privacy@contentrx.io.

The machine-readable version of this policy lives at /.well-known/security.txt per RFC 9116.