Woodfire Digital
Home · Security

Vulnerability Disclosure Policy

Reporting security issues.

If you've found a security issue in something Woodfire Digital runs, tell us. We'll read it, respond, and fix what needs fixing.

Version 1.0
Effective 2026-06-13
Contact support@woodfiredigital.com

No bug bounty

We do not offer monetary rewards, swag, or credits for vulnerability reports. This is a small company and we don't run a paid program. If you'd like public credit for a valid finding once it's fixed, we're glad to do that. Please tell us in your report whether you want to be credited and how to spell your name or handle.

In scope

Anything we own and operate, including:

  • woodfiredigital.com and any subdomain we serve
  • selfemploymenttoolkit.com and its application
  • saidly.ai and its application
  • The supporting infrastructure for any of the above (Cloudflare Workers, storage, email forwarding)

Out of scope

  • Findings that require physical access to a user's device or account
  • Reports based purely on automated scanner output with no demonstrated impact
  • Missing security headers, cookie flags, or rate limits on endpoints with no sensitive action
  • Social-engineering attempts against staff or customers
  • Denial-of-service testing, volumetric attacks, or anything that degrades service for real users
  • Issues in third-party services we use but do not control (open a report with that vendor instead)
  • Self-XSS, clickjacking on pages with no sensitive state, or missing best-practice configurations without an exploit path

How to report

Email support@woodfiredigital.com with the subject line starting with [security]. Include:

  • A clear description of the issue and where it lives (URL, endpoint, product)
  • Steps to reproduce, with screenshots, logs, or a proof-of-concept if you have one
  • Your assessment of the impact — what could an attacker do with this?
  • How you'd like to be credited if the finding is valid (or "no credit")

If your report contains sensitive data, encrypt your message. We'll publish a PGP key here if there's enough demand.

What we ask of you

  • Do not access, modify, or destroy data that is not your own. Use test accounts you control.
  • Do not run automated scanners that generate significant traffic. Manual testing only.
  • Do not publicly disclose the issue before we've had a chance to fix it. Give us a reasonable window — typically 90 days, sooner if the fix lands faster.
  • Do not extort, threaten, or demand payment in exchange for the report. We have no bounty program; reports framed as ransom will be treated as criminal activity.

What we'll do

  • Acknowledge your report within 3 business days.
  • Triage and confirm the issue within 10 business days.
  • Tell you when a fix is planned or shipped.
  • Credit you, if you asked for that, once the fix is live.

Safe harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to follow this policy
  • Avoid privacy violations, data destruction, and service degradation
  • Give us a reasonable window to fix the issue before public disclosure
  • Do not exploit the finding beyond what's needed to demonstrate it

If your research touches data that is not yours, stop as soon as you've established the issue and tell us. We treat accidental exposure as accidental, not adversarial, as long as you tell us about it.

Note. Safe harbor here applies only to Woodfire Digital LLC and the systems we operate. It cannot bind third parties whose data may be involved. Use judgment.

Updates

This policy lives at woodfiredigital.com/security. We may revise it. The version and date at the top of this page tell you when it last changed.