Security Policy
We welcome reports from the security community. This policy explains how to disclose vulnerabilities to RYHA Technologies safely and responsibly.
security@ryha.dev1. Reporting a Vulnerability
If you believe you have found a security vulnerability in any RYHA Technologies property (ryha.dev and its subdomains), please report it to security@ryha.dev. Include a clear description, the affected URL or component, reproduction steps, and any proof-of-concept material. We aim to acknowledge reports within 3 business days.
2. Scope
In scope: the public ryha.dev web application and its API endpoints. Out of scope: third-party services we rely on (such as Supabase and Cloudflare) — please report those directly to the respective vendor. Denial-of-service testing, physical attacks, social engineering, and automated scanning that degrades service are not authorized.
3. Safe Harbor
We will not pursue legal action against researchers who act in good faith, avoid privacy violations and data destruction, do not disrupt our services, and give us reasonable time to remediate before public disclosure. Testing must stay within the scope above and use only your own accounts and data.
4. Our Commitments
We triage every valid report, keep you informed of remediation progress, and credit reporters who wish to be acknowledged once a fix ships. We do not currently operate a paid bug-bounty program, but we deeply value responsible disclosure.
5. Preferred Languages & Contact
Reports are accepted in English. Primary contact: security@ryha.dev. A machine-readable policy is published at https://ryha.dev/.well-known/security.txt in accordance with RFC 9116.
