Jivaro Trust Center
Security & Vulnerability Disclosure Policy
This policy explains how security researchers, users, customers, contributors, and readers can responsibly report vulnerabilities or security concerns affecting Jivaro-controlled systems.
Jivaro welcomes good-faith security reports that help protect readers, users, authors, customers, research contributors, app users, tool users, and the wider platform. Reports should be careful, limited, reproducible, and designed to reduce harm rather than create it.
Security reports should be clear, limited, and reproducible without harming users or systems.
Researchers must not access, copy, expose, modify, or delete data that is not theirs.
Denial-of-service, spam, phishing, social engineering, and destructive testing are prohibited.
Jivaro does not currently operate a public bug bounty program unless separately stated.
Scope of this policy
This policy applies to security concerns involving systems Jivaro controls, including website pages, apps, tools, calculators, generators, browser utilities, games, interactive features, store and checkout-related pages, downloads, digital products, account and login features, forms, uploads, contact and support workflows, submission workflows, research submission systems, Jivaro Journal-related systems, public APIs, and backend services if they exist.
This policy does not make Jivaro responsible for independent third-party platforms that Jivaro does not control, such as payment processors, website hosting providers, Discord, Google, GitHub, email providers, analytics services, social platforms, affiliate networks, or other external services. However, reports may be relevant if a third-party integration, configuration, or workflow directly affects Jivaro users.
Core standard
A good report helps Jivaro understand and fix a real issue without exposing private data, disrupting users, damaging systems, or creating unnecessary risk.
Systems this policy may cover
Website pages
Public pages, Trust Center pages, blog pages, news pages, research pages, store pages, app pages, and other Jivaro-controlled website areas.
Apps and tools
Jivaro apps, calculators, generators, browser utilities, file tools, coding tools, finance tools, research tools, and other interactive features.
Store and downloads
Store pages, checkout-related flows, digital products, downloadable resources, product delivery workflows, and related customer access features.
Accounts, forms, and uploads
Account features, login flows, contact forms, support requests, file uploads, submissions, customer information workflows, and user-facing data flows.
Research systems
Research submission workflows, Jivaro Journal-related pages, author submission materials, editorial workflows, reviewer-related systems, and publication forms.
Games and interactive features
Games, interactive pages, embedded utilities, browser-based experiences, and other user-facing software features controlled by Jivaro.
APIs and backend services
Public APIs, backend services, or server-side workflows may be in scope if Jivaro operates them and the issue affects Jivaro users or systems.
Third-party integrations
Third-party services may be relevant only when the issue directly affects Jivaro users because of Jivaro’s integration, configuration, or implementation.
Security issues that may be in scope
The examples below are not exhaustive. A report may be useful if it demonstrates a real security, privacy, access-control, data-exposure, or user-safety issue affecting Jivaro-controlled systems.
Application vulnerabilities
Cross-site scripting, injection, authentication bypass, authorization issues, exposed admin features, insecure redirects, and similar application-level issues.
Sensitive data exposure
Accidental public files, exposed tokens, secrets, credentials, private configuration, customer data, account data, form submissions, research submissions, or other sensitive information.
File and upload issues
Unsafe file upload behavior, malicious file handling, unsafe downloads, path traversal, file disclosure, or upload workflows that expose or process data incorrectly.
Broken access control
Issues involving accounts, forms, customer data, support requests, submissions, downloads, store access, research submissions, or private workflows that allow unauthorized access.
App and tool security issues
Unsafe local storage behavior, unintended data leakage, share-link exposure, tool-output exposure, insecure data handling, or app behavior that reveals information unexpectedly.
Store and payment-adjacent issues
Issues that expose user data, order data, download access, or unauthorized account access. Ordinary pricing complaints, refund disputes, or payment-provider issues are not security vulnerabilities.
Configuration and dependency issues
Vulnerable dependencies, misconfigured headers, mixed-content problems, insecure redirects, exposed files, or configuration problems that show real impact.
Privacy-impacting bugs
Bugs involving forms, analytics, app inputs, tool outputs, uploaded files, saved state, local storage, share links, or third-party integrations that could expose user information.
Lower-priority reports
Low-impact issues such as missing headers, scanner-only reports, outdated banners, theoretical attacks, or findings without realistic exploitability may be treated as lower priority unless the report shows real user, system, privacy, or data risk.
Rules for good-faith security testing
Security testing must be limited, careful, and designed to avoid harm. If testing causes unexpected access or risk, stop immediately and report the issue.
Act in good faith
Report vulnerabilities promptly and provide only the information needed to demonstrate and reproduce the issue.
Do not access private data
Do not access, modify, delete, download, copy, expose, retain, or share data that is not yours or that you do not have permission to use.
No destructive testing
Do not run destructive tests, denial-of-service tests, spam, phishing, credential stuffing, brute force, social engineering, physical attacks, or attacks against users, staff, contributors, vendors, or third parties.
No payment abuse
Do not test payment fraud, stolen cards, chargebacks, refund abuse, fake purchases, financial abuse, account takeover, or store manipulation.
Use your own data
Use only accounts, files, forms, test data, submissions, and materials you own or have permission to use.
Stop if private data appears
If you accidentally access private data, stop testing immediately, do not save or share the data, and report the issue with minimal proof.
No premature public disclosure
Do not publicly disclose vulnerability details before Jivaro has had a reasonable chance to investigate and fix the issue.
No persistence or escalation
Do not use a vulnerability to gain persistence, escalate beyond the minimum proof of concept, pivot to other systems, disrupt users, or access unrelated systems.
Out-of-scope or prohibited activity
Denial of service
Load testing, stress testing, resource exhaustion, bandwidth abuse, or denial-of-service activity is prohibited.
Social engineering
Phishing, impersonation, deception, phone calls, support manipulation, employee targeting, contributor targeting, or social engineering is prohibited.
Physical security testing
Physical intrusion, device access, office testing, mail testing, or attacks against physical infrastructure are out of scope.
Third-party systems
Independent third-party platforms are out of scope unless the issue directly affects Jivaro users because of Jivaro’s integration or configuration.
Spam and content abuse
Mass signups, comment spam, form spam, fake orders, fake submissions, spam campaigns, or abuse of support channels are prohibited.
Extortion or threats
Threats, extortion, demands for payment, coercive disclosure, or attempts to force a response through pressure tactics are not responsible disclosure.
How to report a security issue
Security reports should be sent through the Contact page. If available, researchers may also open a Discord ticket and clearly label the report as a security or vulnerability disclosure.
Reports should be specific, reproducible, and limited to what is necessary to demonstrate the issue. Do not include private user data, sensitive records, stolen credentials, or unnecessary exploit details.
Submit a report
Use the Contact page for vulnerability reports, privacy-impacting bugs, exposed data, app/tool security issues, or responsible disclosure questions.
Helpful report details
- The affected URL, app, tool, form, feature, or workflow.
- A concise description of the vulnerability or concern.
- Steps to reproduce the issue using safe test data.
- The potential impact on users, data, systems, or privacy.
- Screenshots or video if they do not expose private data.
- Your browser, device, operating system, and relevant environment details.
- Whether you accidentally accessed private data, and confirmation that you stopped testing.
- A suggested fix or mitigation if known.
- Your preferred contact information and whether you want public credit.
Do not include
Do not include passwords, private keys, API keys, private user data, payment data, medical information, financial records, confidential submissions, or unnecessary sensitive details in the report.
How Jivaro handles reports
Initial review
Jivaro may review whether the report is in scope, reproducible, specific, safe, and relevant to systems Jivaro controls.
Prioritization
Reports may be prioritized based on exploitability, data sensitivity, user impact, privacy risk, payment risk, research-submission risk, scope, and feasibility.
Investigation
Jivaro may investigate the issue, request more information, test a fix, contact a third-party provider, update a tool, change a configuration, or restrict a feature.
Fixes and mitigations
Possible actions may include patching code, changing settings, removing exposed data, disabling a feature, updating documentation, changing data handling, or adding a notice.
No guaranteed response
Jivaro reviews security reports but cannot guarantee a response, timeline, fix, bounty, reward, public credit, or specific outcome for every submission.
Report rejection
Jivaro may decline reports that are spammy, automated, abusive, vague, non-reproducible, scanner-only, misleading, out of scope, or submitted in violation of this policy.
Good-faith reporting and safe harbor limits
Jivaro does not intend to treat good-faith researchers as malicious merely because they report a valid security issue while following this policy. Responsible reports are helpful and appreciated.
This policy is not a promise of legal immunity, authorization to break laws, permission to access private data, or permission to attack third-party systems. Researchers remain responsible for complying with applicable laws and third-party terms.
Safe harbor is conditional
Good-faith treatment depends on following this policy, avoiding harm, using only authorized data, stopping when private data appears, and reporting promptly.
Public disclosure and credit
Coordinated disclosure
Researchers should not publicly disclose vulnerability details before Jivaro has had a reasonable opportunity to investigate, mitigate, and respond.
Public credit
Jivaro may offer public credit if the researcher wants it and the report is valid, helpful, in scope, responsibly handled, and safe to acknowledge publicly.
No guaranteed credit
Public credit is not guaranteed. Jivaro may decline public attribution for safety, privacy, legal, operational, duplicate-report, or policy reasons.
No public exploit details
If public credit or disclosure happens, it should not include exploit details, private data, sensitive paths, credentials, or instructions that could harm users or systems.
Rewards and bug bounties
Jivaro does not currently operate a public bug bounty program unless a separate bounty page, written agreement, or official announcement says otherwise. Security reports are appreciated, but submitting a report does not entitle the reporter to payment, reward, credit, employment, contract work, services, products, or other compensation.
Third-party platforms and providers
Independent third parties
Jivaro may use third-party services for hosting, website infrastructure, payments, analytics, email, Discord, GitHub, ads, affiliate links, forms, store features, and other functions.
Report to the right owner
If a vulnerability affects a third-party provider independently of Jivaro’s configuration or integration, report it to that provider through their own security process.
Jivaro integrations
If a third-party issue affects Jivaro users because of Jivaro’s integration, configuration, embed, workflow, or data handling, it may still be useful to report it to Jivaro.
Security.txt and future reporting channels
Jivaro may add a /.well-known/security.txt file or another dedicated reporting channel in the future. If available, that file may point to this policy, the Contact page, and any current security-reporting instructions.
Related Jivaro policies
Privacy Policy
Explains how Jivaro handles privacy, personal information, cookies, forms, store purchases, research submissions, apps, tools, analytics, and third-party services.
Apps Data Policy
Explains how Jivaro apps and tools may handle local storage, tool inputs, file uploads, share links, analytics, third-party APIs, and AI services.
Terms of Use
Explains the terms that govern use of Jivaro content, apps, tools, store products, services, downloads, accounts, and submissions.
Corrections Policy
Explains how Jivaro reviews, corrects, clarifies, updates, removes, or labels content when meaningful issues are identified.
AI Use Policy
Explains how Jivaro may use AI tools and where AI use is restricted, including privacy and research-integrity concerns.
Copyright Policy
Explains copyright, licensing, reuse, quotations, apps, tools, digital products, and permission requests.
Updates to this policy
Jivaro may update this Security & Vulnerability Disclosure Policy as the website, apps, tools, research systems, store, services, reporting channels, infrastructure, third-party providers, security practices, or legal obligations change.
Jivaro Trust Center
Trust Center pages
These pages explain how Jivaro handles editorial standards, corrections, disclosures, privacy, accessibility, monetization, research standards, and user-facing policies.