Vulnerability Disclosure Policy - Renewly

We welcome reports from security researchers. Send findings to security@renewly.gg with steps to reproduce, affected URLs, and impact.

Scope

All renewly.gg subdomains and the Renewly application. Out of scope: third-party services we use (report directly to those vendors), social engineering of staff, denial-of-service testing, and physical attacks against our infrastructure providers.

Safe harbor

We will not pursue legal action against researchers who follow this policy: act in good faith, avoid privacy violations, do not exfiltrate data beyond what is needed to demonstrate the issue, and give us reasonable time to remediate before public disclosure. If a third party initiates legal action against you for activity conducted in accordance with this policy, we will make this authorization known.

Response timeline

We acknowledge reports within 1 business day.
We provide a remediation timeline within 5 business days.
Critical issues are addressed within 7 days.
We notify the reporter when a fix ships and credit them where requested.

Bounty

We do not currently offer monetary bounties. We credit researchers in our security acknowledgements with permission.

Machine-readable contact

Our security.txt file follows RFC 9116 with the same contact and policy URLs.