Responsible Disclosure

    Security Disclosure & Bug Bounty

    Pwdly's security model only works if it's continuously challenged. We welcome reports from independent researchers and treat every credible submission with the seriousness it deserves.

    Last updated:

    How to report

    Email security@pwdly.app with a clear description of the issue, reproduction steps, and any relevant proof-of-concept code. We aim to acknowledge new reports within 2 business days.

    Please do not open public GitHub issues, social-media posts, or support tickets for security findings before we've had a chance to respond.

    What we're most interested in

    • Anything that breaks the zero-knowledge guarantee (server-side decryption, key leakage, plaintext exposure)
    • Authentication or session-management flaws (account takeover, privilege escalation, broken 2FA)
    • Cryptographic weaknesses in our key derivation, wrapping, or sharing flows
    • Cross-site scripting, CSRF, or injection bugs in the dashboard or marketing site
    • Logic flaws in invite, project membership, or offboarding flows
    • Supply-chain or build-pipeline issues that could compromise shipped code

    Out of scope

    • Denial-of-service, volumetric, or rate-limit testing against production
    • Findings from automated scanners without a working proof-of-concept
    • Missing security headers or best-practice cookie flags with no demonstrable impact
    • Social engineering of Pwdly staff, customers, or vendors
    • Physical attacks against our infrastructure or office locations
    • Issues that require a fully compromised victim device or browser extension

    Our commitment to you

    • We will acknowledge your report and keep you updated on remediation progress.
    • We will not pursue legal action against researchers acting in good faith and within this policy.
    • We will credit you publicly (with your permission) once a fix has shipped.
    • For high-impact reports, we offer monetary rewards on a discretionary basis - severity, quality of the report, and exploitability all factor in.

    Rules of engagement

    • Test only against accounts you own or have explicit permission to access.
    • Do not access, modify, or exfiltrate other users' data.
    • Stop testing and report immediately if you encounter user data.
    • Give us reasonable time to remediate before any public disclosure (we suggest 90 days).

    For machine-readable contact info, see our /.well-known/security.txt file, which follows the RFC 9116 standard.

    email at security@pwdly.app

    No cookies. No tracking. No banners (almost).

    We use privacy-friendly, cookieless analytics (Umami) to count page views — no personal data, no profiling, no third-party scripts. Read more.