Trust

Vulnerability disclosure policy

Last updated: 2026-05-11 · Version 1

How to report

Email support@slidepractice.com with the subject line SECURITY. PGP key available at /.well-known/pgp-key.txt. Machine-readable contact at /.well-known/security.txt.

Service level commitment

Acknowledgement within 24 hours of report. Triage and severity assignment within 72 hours. Critical and high severity fixes deployed within 30 days; medium within 90 days; low within 180 days. Coordinated disclosure 90 days after fix.

Safe harbor

We commit not to pursue civil or criminal action against good-faith security research that: stays within the scope of slidepractice.com and its subdomains; does not exfiltrate, destroy, or modify other users’ data; does not degrade service availability for other users; does not violate applicable law beyond what is necessary to demonstrate the issue; and reports the finding promptly via the channel above.

Out of scope

Reports of weak SSL ciphers without exploit context, missing security headers without exploit context, missing rate limits on public endpoints without exploit context, social-engineering of staff, denial-of-service attacks, and findings against third-party services we use (those go to the third party).

Recognition

We do not run a paid bounty program today. With your permission we credit reporters publicly in our changelog. We will revisit a paid program at scale.