Contact: mailto:security@iconsprint.com
Contact: https://iconsprint.com/contact
Canonical: https://iconsprint.com/.well-known/security.txt
Language: en
Expires: 2026-07-25T23:59:59.000Z

If you find a weakness, we'd love to hear about it! We want to fix it ASAP to keep our clients and systems safe.
Your help means the world to us!

## In Scope - High Priority Issues

We are particularly interested in vulnerabilities affecting:

- **Credit System Manipulation**: Any bypass of server-side credit calculation or payment validation
- **Icon Access Control**: Unauthorized access to private icons or S3 resources
- **Authentication Bypass**: Magic link token manipulation, session hijacking, or privilege escalation
- **API Security**: Authentication bypass, data manipulation, or unauthorized access to user data
- **Payment Processing**: LemonSqueezy webhook manipulation or billing bypass
- **File Upload/Generation**: Malicious icon generation requests or file system access

## Out of Scope Issues

The following issues are generally out of scope **unless they demonstrate a clear impact**:

- Clickjacking on pages without sensitive actions.
- CSRF attacks on unauthenticated/logout/login endpoints.
- Attacks requiring MITM or physical access to a user's device.
- Attacks relying on social engineering.
- Issues caused solely by missing security headers (CSP, DNSSEC, CAA, etc.) **without an exploit scenario**.
- Lack of Secure or HTTP-only flag on **non-sensitive** cookies.
- Dead links or minor text injection without security impact.
- Email spoofing (unless SPF, DKIM, or DMARC misconfigurations enable domain abuse).
- User enumeration through magic link endpoints (by design for UX).
- Rate limiting bypasses on non-critical endpoints.
- Public icon metadata exposure (intended functionality).

## Testing Guidelines

**Critical Systems to Avoid:**
- **Production Credit Deduction**: Do not attempt to manipulate real credit transactions
- **Payment Systems**: Do not test with real payment methods or attempt to bypass LemonSqueezy integration
- **OpenAI API Abuse**: Do not attempt to generate excessive icons or exploit AI generation endpoints
- **S3 Bucket Access**: Do not attempt direct S3 access or bucket enumeration
- **Database Manipulation**: Do not attempt SQL injection or RLS policy bypass beyond proof-of-concept

**Acceptable Testing:**
- Test endpoints with minimal impact using test accounts
- Report authentication/authorization issues with proof-of-concept only
- API fuzzing on low-impact endpoints with reasonable rate limits
- Client-side security testing on non-production environments

Guidelines for testing:

- **Do not test vulnerabilities on production systems** beyond what is necessary to prove their existence.
- Avoid running automated scanners or fuzzing tools that could disrupt services or impact customers.
- If you discover a vulnerability, **do not exploit it further** (e.g., do not exfiltrate data or manipulate records beyond what's necessary for proof-of-concept).
- Focus on business logic flaws in credit calculation, icon access control, and authentication flows.

## Reporting Guidelines

Please submit reports through:
- **Primary**: security@iconsprint.com (encrypted reports welcome)
- **Alternative**: https://iconsprint.com/contact

**Required Information:**
- Detailed description of the vulnerability and its potential impact
- Step-by-step reproduction instructions
- Affected endpoints, parameters, or components
- Proof-of-concept code or screenshots (if applicable)
- Your assessment of severity and business impact

**For Credit/Payment Issues:**
- Include specific API endpoints and request/response examples
- Document any discrepancies between client and server calculations
- Provide transaction IDs or request IDs if available

**For Access Control Issues:**
- Specify affected resources (icons, user data, etc.)
- Include user IDs and icon IDs for reproduction
- Document the expected vs. actual authorization behavior

## Disclosure Policy

**Timeline:**
- We request at least **90 days** to address reported issues before public disclosure
- **Critical vulnerabilities**: We commit to initial response within 24 hours and patches within 7 days
- **High severity**: Initial response within 48 hours, patches within 30 days
- **Medium/Low severity**: Response within 5 business days, patches within 90 days

**Coordination:**
- We request discussion before disclosure if an issue remains unpatched beyond agreed timeline
- If you plan to present research publicly, please notify us at least 30 days in advance
- We're happy to collaborate on coordinated disclosure and timeline adjustments

## Our Commitments

**Response & Communication:**
- Initial acknowledgment within 5 business days (24 hours for critical issues)
- Regular updates on remediation progress
- Clear timeline for fixes and deployment
- Credit for discovery (unless you prefer anonymity)

**Legal Protection:**
- No legal action for good-faith security research conducted within these guidelines
- Safe harbor for researchers following responsible disclosure
- Confidentiality of your personal information and research details

## Recognition

We currently **do not offer monetary rewards** for security reports.
However, we recognize valuable contributions through:
- Public acknowledgment in our security page and release notes
- Direct communication of impact and appreciation
- Priority consideration for future bug bounty programs
- Professional references and recommendations upon request