Security Policy

Reporting a Vulnerability

If you believe you have found a security vulnerability in our systems, please report it to us responsibly. We ask that you:

• Email us at security@keepitwhat.com
• Provide sufficient detail to reproduce the vulnerability
• Give us reasonable time to respond and fix the issue before public disclosure
• Do not access, modify, or delete data belonging to others
• Do not perform actions that could harm our services or other users

What We Ask

• Act in good faith to avoid privacy violations, data destruction, or service disruption
• Only test against accounts you own or have explicit permission to test
• Do not use automated scanning tools that generate excessive traffic
• Do not attempt social engineering attacks against our staff
• Do not attempt physical attacks against our infrastructure

Our Commitment

• We will acknowledge receipt of your report within 48 hours
• We will provide an initial assessment within 7 days
• We will keep you informed of our progress
• We will not take legal action against researchers who follow this policy
• We will credit you in our security acknowledgments (if desired)

Scope

The following are in scope for security testing:

• www.keepitwhat.com
• keepitwhat.com
• Our API endpoints at /api/*

The following are out of scope:

• Third-party services (Stripe, Supabase, Vercel, etc.)
• Denial of service attacks
• Physical security
• Social engineering
• Spam or phishing

Security Measures

We employ industry-standard security measures including:

• HTTPS encryption for all communications
• PCI DSS compliant payment processing via Stripe
• Regular security scanning and monitoring
• Row-level security on database tables
• CSRF protection on all forms
• Rate limiting on API endpoints
• Input validation and sanitization
• Security headers (CSP, HSTS, X-Frame-Options, etc.)

Contact

For security concerns: security@keepitwhat.com

For general enquiries: hello@keepitwhat.com