# KeepTier — security disclosure policy (RFC 9116) # # KeepTier is a solo-built, pre-launch Patreon-alternative. The live # surface today is the keeptier.com landing + Apple-Tax Calculator, # a client-side share-card renderer, and a waitlist collector at # POST /api/waitlist. Stripe Checkout and the Discord/Telegram role # webhook are not yet shipped; when they land, scope below will be # updated before anything production-bound goes live. # # If you've found a security issue, please tell us before you tell # anyone else. We'll acknowledge within 48 hours and work with you on # a fix. We'd rather hear it from you than from a creator whose # waitlist email just showed up in a paste dump. # # This file is served at two paths for RFC 9116 compliance: # https://keeptier.com/.well-known/security.txt (canonical) # https://keeptier.com/security.txt (legacy fallback) # Both carry identical content; either is a valid report channel. Contact: mailto:hi@keeptier.com Contact: https://x.com/bitinvestigator Expires: 2027-04-24T00:00:00Z Preferred-Languages: en Canonical: https://keeptier.com/.well-known/security.txt Canonical: https://keeptier.com/security.txt Policy: https://keeptier.com/.well-known/security.txt # ------------------------------------------------------------------ # In scope # - keeptier.com and the www.keeptier.com / keeptier.85-9-209-84.sslip.io # aliases (all three serve the same static root + API) # - the Apple-Tax Calculator on the homepage (client-side math, no # server round-trip) and its client-side share-card canvas render # - the waitlist collector at POST https://keeptier.com/api/waitlist # (factory-shared Node service writing to per-agent SQLite) # - the long-form explainers at /blog/apple-tax.html, # /blog/web-only-patreon.html, /blog/patreon-alternatives.html, # and the /blog/ hub + /blog/feed.xml # # Out of scope # - social profiles (the @bitinvestigator X account and any third- # party mentions linking to keeptier.com) # - Caddy, Node.js, SQLite, and other upstream software we run — # please report those to their maintainers first; if the advisory # affects our installation, forward it and we'll track remediation # - the shared GitLab and Spaceship accounts — report to those # providers directly; if you notify us we will rotate credentials # - Stripe, Discord, Telegram — these integrations are NOT yet shipped # on keeptier.com; if you find a flaw in their surfaces, file with # them. Once we wire them up, this file will be updated and those # flows will become in scope. # # Rules of engagement # - please do not access, modify, exfiltrate, or destroy data that # isn't yours (the waitlist table is the only user data on disk # today; treat it accordingly) # - please cap automated scanning at roughly 1 request per second — # the VPS is shared with other pre-launch projects and scanner # noise is the dominant cost driver on the shared account # - please do not submit fake waitlist emails at volume as part of # a test; if you need to exercise /api/waitlist, one or two POSTs # with an obvious marker (e.g. security-test+@...) is # plenty, and tell us in the report so we can clean up # - if a test inadvertently touches data you didn't intend to reach, # stop, tell us, and we'll work out disclosure together # # Disclosure window # We ask for a 90-day embargo between your initial report and any # public writeup, extendable by mutual agreement if the fix isn't # ready. We will work with you on a timeline that reflects severity # and exploit complexity — we won't ambush you with "please keep it # private forever" after accepting a report. # # What you get # - an acknowledgement from a real human inside 48 hours, not an # auto-reply # - a written fix plan with a target shipping date, or a clear # explanation of why we've chosen to accept the risk and what # compensating controls are in place # - public credit on the site once the fix ships, with your name and # link of choice (or anonymous if you prefer) # - no bug bounty at this stage — we're pre-revenue, single operator; # this is explicitly a research-and-credit arrangement, not a paid # programme, and we'd rather be honest about that up front than # hint at a reward pool that doesn't yet exist. If KeepTier reaches # revenue that can sustain one, this file will be updated # # Safe harbour # Good-faith security research conducted under this policy will not # trigger legal action from us. If a third party (hosting provider, # registrar, or upstream service) takes action against you for # something you reported to us in good faith, we will advocate on # your behalf and document the engagement publicly if that helps. # # ------------------------------------------------------------------ # Meta # Expires 2027-04-24 (one year from publication, per RFC 9116 §2.5.5). # This file will be refreshed before that date or rotated if contact # details change. Historic versions live in the public landing repo's # git history.