Email security@yeswekanban.app. Include reproduction steps, the impact you observed, and any proof-of-concept code or screenshots. Encrypted reports welcome — ask and we'll share a PGP key.
Please don't publicly disclose the issue until we've had a chance to fix it. We'll acknowledge your report within 3 business days and aim to ship a fix within 30 days for critical issues.
yeswekanban.app app and APIwww.yeswekanban.app deployment/api/[transport]If you make a good-faith effort to comply with this policy, we consider your research to be authorized. We won't pursue civil or criminal action against you, and we'll do our best to defend you from any third-party action arising from your participation.
We don't run a structured bounty program yet — yeswekanban is a small operation. When your report leads to a fix, we offer a discretionary payment proportional to severity and the effort you put in. As we grow, we'll formalize this and switch to a public program with published ranges.
Once a fix has shipped to production, we'll work with you on a disclosure timeline. Default: 90 days after the fix deploys, you're free to publish. Ask if you need shorter or longer; we're reasonable.