Responsible Disclosure
Security matters. If you believe you’ve found a vulnerability in HeffTools, we appreciate responsible, good-faith reports.
This policy describes how to report security issues and what to expect in return.
Scope
This policy applies to:
- The hefftools.dev website
- HeffTools web tools
- HeffTools APIs
Third-party services used by HeffTools (such as RapidAPI or hosting providers) are governed by their own security and disclosure policies.
How to report a vulnerability
If you believe you’ve found a security issue, please report it via the contact page.
To help with triage, please include:
- A clear description of the issue
- The affected endpoint, tool, or page
- Steps to reproduce (if applicable)
- Any relevant request/response details
If possible, include [SECURITY] at the start of your message.
Guidelines for researchers
Please:
- Act in good faith
- Limit testing to what is necessary to demonstrate the issue
- Avoid accessing, modifying, or deleting user data
- Avoid actions that degrade service availability
Please do not:
- Perform denial-of-service attacks
- Attempt social engineering or phishing
- Exploit vulnerabilities beyond proof-of-concept
- Publicly disclose issues before they are addressed
What you can expect
Good-faith security research is welcome.
If you follow this policy:
- You will not be subject to legal action for your report
- Reports will be reviewed as time allows
- Reasonable efforts will be made to validate and address issues
HeffTools does not currently operate a bug bounty program.
Out of scope
- Issues in third-party services or dependencies
- Rate-limit enforcement or abuse prevention mechanisms
- Non-security bugs or feature requests
- Reports based on outdated browsers or unsupported clients
For non-security issues, please use the regular contact page.
Disclosure timeline
HeffTools aims to address valid security issues in a reasonable timeframe. Disclosure timelines may vary depending on severity and complexity.
Coordinated disclosure is preferred.