πŸ”

Security & Responsible Disclosure

We take the security of Chair Six and our users seriously. If you've found a vulnerability, we want to hear from you.

Safe Harbor Protected 48h Acknowledgment SLA Good-Faith Researchers Welcome

Our Commitment to You

If you report a vulnerability in good faith, Chair Six commits to:

  • Acknowledge your report within 48 hours
  • Provide a status update within 7 days
  • Work to resolve critical issues within 30 days
  • Notify you when the issue is fixed
  • Credit you in our Hall of Fame (with permission)
  • Not pursue legal action against good-faith researchers

In Scope

  • chair-six.com and all subdomains
  • app.chair-six.com (web app)
  • Chair Six iOS app (App Store)
  • Authentication and session management
  • User data privacy and access control
  • API endpoints and Supabase RLS policies
  • SQL injection, XSS, CSRF, SSRF

Out of Scope

  • Spam, phishing, or social engineering attacks on users
  • Physical security attacks
  • Denial of service (DoS/DDoS)
  • Vulnerabilities in third-party services (Supabase, Vercel, Resend)
  • Issues requiring physical access to a device
  • Clickjacking on pages without sensitive actions
  • Missing non-critical security headers
  • Automated scanner reports without proof-of-concept

Severity Classification

Critical

Account takeover, mass data exposure, authentication bypass, privilege escalation to admin

High

PII exposure, IDOR allowing access to other users' private data, stored XSS

Medium

Reflected XSS, CSRF on sensitive actions, rate limiting bypass

Low

Minor information disclosure, non-critical misconfigurations

Safe Harbor

Chair Six will not initiate legal action against researchers who:

  • Act in good faith and comply with this policy
  • Avoid accessing, modifying, or deleting user data beyond what's necessary to demonstrate the vulnerability
  • Refrain from public disclosure until we've had a reasonable time to fix the issue
  • Do not exploit the vulnerability beyond minimal proof-of-concept

We consider security research conducted under this policy to be authorized and will work with researchers to understand and resolve issues quickly.

Submit a Report

Prefer email? Write to security@chair-six.com directly. You'll receive an auto-acknowledgment.

Reports are received by the Chair Six security team only. We do not share reporter details.

Contact

πŸ“§
Security Reports
security@chair-six.com
πŸ“‹
⚠️
General Support
chair-six.com/support

Please do not report security vulnerabilities through GitHub issues, social media, or public forums.

πŸ† Hall of Fame

We thank the following researchers for responsibly disclosing security issues to us.

Be the first β€” report a valid vulnerability and earn your spot here.

Encryption

For sensitive reports, you may encrypt your email to security@chair-six.com. Reply to our acknowledgment email to request our PGP public key.

All reports submitted through this form are transmitted over HTTPS.