Security policy

How to report a security issue and what to expect in return.

Our machine-readable disclosure policy lives at /.well-known/security.txt

We take security seriously

Seth handles private conversations, reflections, and payment data. If you discover a vulnerability, please report it through the channel below before sharing it publicly. We treat good-faith researchers as partners — not adversaries.

How to report

evigilans-data@tuta.com

Use the "[SECURITY]" prefix in the subject line so it gets routed correctly. PGP is not required; the inbox is checked daily.

In your report, please include:

A clear description of the issue
Steps to reproduce (URL, request, payload, account used)
Impact assessment (what data or accounts could be affected)
Any proof-of-concept you are comfortable sharing

What happens next

Within 72 hours: you receive a human acknowledgement and a tracking reference.
Within 14 days: we confirm the issue, explain severity, and share a remediation plan.
Coordinated disclosure: we agree on a public disclosure date together. We will credit you if you want.
Delays happen: if a fix needs more than 90 days, we keep you informed with the reason.

In scope

In scope

sethapp.com and its production subdomains
The public chat, auth, payment, and webhook endpoints
Supabase / ElizaOS integrations via our apps
Service worker and push notification handling

Out of scope

Third-party services (Stripe, Supabase, NOWPayments) — report those directly to the vendor
Social engineering attacks against employees or users
Denial-of-service against production (please do not load-test us)
Physical attacks or anything that breaks applicable laws
Missing best-practice headers without demonstrable impact

Safe harbor

If you follow this policy in good faith — no data exfiltration, no account takeover of other users, no service disruption — we will not pursue legal action against you. Keep test activity on accounts you control, stop as soon as you confirm impact, and never access data that isn't yours.

Bounties

We currently run a reputation-based program rather than paid bounties. Meaningful reports are acknowledged publicly (with your permission) and get priority support. We reserve the right to offer rewards at our discretion for critical issues.

Last updated: April 2026

We take security seriously

How to report

evigilans-data@tuta.com

Use the "[SECURITY]" prefix in the subject line so it gets routed correctly. PGP is not required; the inbox is checked daily.

In your report, please include:

A clear description of the issue
Steps to reproduce (URL, request, payload, account used)
Impact assessment (what data or accounts could be affected)
Any proof-of-concept you are comfortable sharing

What happens next

Within 72 hours: you receive a human acknowledgement and a tracking reference.

Within 14 days: we confirm the issue, explain severity, and share a remediation plan.

Coordinated disclosure: we agree on a public disclosure date together. We will credit you if you want.

Delays happen: if a fix needs more than 90 days, we keep you informed with the reason.

In scope

In scope

sethapp.com and its production subdomains
The public chat, auth, payment, and webhook endpoints
Supabase / ElizaOS integrations via our apps
Service worker and push notification handling

Out of scope

Third-party services (Stripe, Supabase, NOWPayments) — report those directly to the vendor
Social engineering attacks against employees or users
Denial-of-service against production (please do not load-test us)
Physical attacks or anything that breaks applicable laws
Missing best-practice headers without demonstrable impact