Responsible Disclosure

How to Report

If you believe you have found a security vulnerability in any Warpstar-operated system, please report it to us by email at security@warpstar.id. To help us triage and reproduce the issue efficiently, your report should include:

1. A clear description of the vulnerability and the affected component or URL. 2. Step-by-step instructions to reproduce the issue. 3. The potential impact or business risk as you assess it. 4. Any proof-of-concept (PoC) code, screenshots, or request/response captures that support your findings. 5. Your preferred contact method for follow-up.

Please do not submit vulnerability reports through our general contact form or social media channels.

Safe Harbor

We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith in accordance with this policy. We consider good-faith research to include: accessing only the data necessary to demonstrate the vulnerability; not modifying or deleting data belonging to other users; not degrading the availability of our services; and disclosing to us before making the vulnerability public.

This safe harbor applies only to activity that complies with this policy. It does not extend to malicious exploitation, exfiltration of data, or activity that falls outside the scope defined below.

Scope

In scope: the Warpstar main website (warpstar.id) and all subdomains operated by Warpstar (e.g. www.warpstar.id, any API endpoints, admin interfaces).

Out of scope: third-party services and infrastructure we rely on but do not control, including Cloudflare (CDN, D1, Pages, Turnstile), Resend, domain registrars, and hosting providers. Vulnerabilities in those services should be reported directly to their respective security teams.

Also out of scope: social engineering attacks targeting Warpstar personnel; physical security attacks; denial-of-service (DoS) or volumetric attacks; automated scanning that degrades service performance; and attacks that require physical access to a user's device.

Researcher Guidelines

Please follow these guidelines to ensure your research remains within safe harbor:

Do not access, modify, or exfiltrate data belonging to other users — use only test accounts or data you created yourself. Do not perform actions beyond what is necessary to demonstrate the vulnerability. Give us a reasonable amount of time to investigate and remediate the issue before any public disclosure (we ask for at least 90 days, but will work with you if a shorter or longer timeline is warranted). Do not extort or demand payment in exchange for vulnerability details or for withholding disclosure.

Our Commitment

When you submit a report under this policy, we commit to: acknowledging receipt of your report within five business days; providing an initial assessment of severity and affected scope within ten business days; keeping you informed of material progress toward remediation; notifying you when the vulnerability has been resolved.

We currently do not operate a bug bounty programme and cannot offer financial rewards for reports. We are genuinely grateful for responsible disclosures and will acknowledge researchers (with their consent) in any public advisory we issue.

Questions about this policy? Contact us at security@warpstar.id.