offduty

Vulnerability Disclosure Policy

Last updated: May 19, 2026

Our commitment

DiscoveryCo takes the security of offduty and the privacy of our users seriously. We welcome responsible disclosure of security vulnerabilities from the security community.

If you discover a security issue, please report it to us before making it public. We will investigate all legitimate reports promptly and work with you to understand and remediate the issue.

How to report

Please send vulnerability reports to:

[email protected]

Include as much detail as possible:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue (proof-of-concept, screenshots, or video)
  • The affected URL, endpoint, or component
  • Your name or handle (if you would like acknowledgment)

What to expect

1

Acknowledgement within 48 hours

We will confirm receipt of your report and begin our initial assessment.

2

Investigation and triage

We will investigate the report, reproduce the issue, and assess its severity. We'll keep you updated as we make progress.

3

Remediation

We aim to remediate confirmed vulnerabilities within 30 days for high-severity issues and 90 days for lower-severity findings, depending on complexity.

4

Disclosure coordination

We will coordinate with you on public disclosure timing. We ask that you do not disclose details publicly until the vulnerability has been resolved.

In scope

  • offduty.me and app.offduty.me (web application)
  • Authentication and authorisation flows
  • API endpoints and data handling
  • Gmail OAuth token handling and storage

Out of scope

  • Denial-of-service (DoS/DDoS) attacks
  • Social engineering attacks targeting our team
  • Physical security
  • Vulnerabilities in third-party services (Google, Stripe, Railway)
  • Issues that require physical access to a user's device

Our commitments to you

  • We will not pursue legal action against researchers who act in good faith
  • We will acknowledge your contribution publicly if you wish
  • We will keep you informed throughout the investigation process
  • We will handle all reports confidentially

Good faith expected

We ask that researchers act in good faith: avoid accessing or modifying data that belongs to other users, do not disrupt the Service, and do not use vulnerabilities to extract data beyond what is necessary to demonstrate the issue.