Security
Security Policy
We welcome reports of security vulnerabilities. Please email security@steadyhq.com with:
Description of the issue
Affected URLs/endpoints
Steps to reproduce
Expected vs actual behavior
Proof-of-concept (text only, no live exploits)
Scope
In-scope: steadyhq.com, steady.page, all subdomains we operate, our official apps, and our API.
Out-of-scope: third-party services, social accounts, physical offices, spam, social engineering.
Common exclusions: clickjacking on non-sensitive pages, missing security headers, rate-limiting/brute-force without real impact, SSL/TLS best-practice warnings.
Rules of Engagement
No DoS, stress tests, or automated scans beyond normal rate limits.
Do not access, modify, or exfiltrate data that isn’t yours. Use test data only.
Test only accounts you own or have explicit permission for.
Stop immediately if you encounter sensitive data and report privately.
Our Commitment
Acknowledge reports within 3 business days.
Provide triage updates within 7 business days.
Fix timelines depend on severity and complexity.
Safe Harbor
We will not pursue legal action for good-faith testing and disclosure that follows this policy.
Recognition & Rewards
We offer the following bounty tiers for valid, in-scope vulnerabilities. Severity is determined by us based on impact and exploitability:
Low: $100
Medium: $300–$500
High: $1,000
Please note:
Not all submissions will qualify for a reward. Trivial findings, best-practice recommendations, or issues without clear security impact are not eligible for payouts.
Rewards are granted at our discretion, based on severity and impact.
Only the first valid report of a vulnerability will be eligible for a reward.
With your permission, we may also credit you publicly after a fix and deployment.