Security and vulnerability disclosure
Last revised: July 3, 2026
We take the security of diffy.gg and our contributors’ information seriously, and we welcome reports from security researchers. This page explains what you can test, how to report what you find, and what you can expect from us in return.
If you believe you’ve found a vulnerability, email us at security@diffy.gg before you do anything else. Please don’t open a public issue.
This is not a legal contract and has not been reviewed by counsel. It describes how we intend to work with researchers who report issues in good faith.
1. What’s in scope
Our production website and the code that runs it are in scope:
- diffy.gg — the public website, its API routes, and the checkout and contribution flows.
- Our public source repositories under github.com/diffy-hq.
Some things are out of scope. Please don’t test them:
- Third-party services we rely on — Stripe, Shopify, Sanity, and similar. Report issues in those platforms to the platform directly.
- Denial-of-service, volumetric, or load-testing attacks; anything that degrades service for others.
- Social engineering of our staff, contributors, or players; physical attacks; and spam.
- Reports from automated scanners with no demonstrated, exploitable impact, and best-practice suggestions that don’t map to a concrete vulnerability (for example, a missing header with no proof of exploitability).
2. Safe harbor
If you make a good-faith effort to follow this policy, we’ll treat your research as authorized. We won’t pursue or support legal action against you for security research that respects the rules here, and we’ll work with you if a third party raises a concern about research you did under this policy.
Good faith means you stay within scope, stop at the point you’ve proven an issue exists, and don’t access, modify, or delete more data than you need to demonstrate it. If you encounter anyone’s personal data during testing, stop, don’t save it, and tell us in your report.
3. How to report
Email security@diffy.gg with enough detail for us to reproduce and fix the issue. A good report includes:
- A clear description of the vulnerability and the impact you think it has.
- Step-by-step instructions to reproduce it.
- The affected URL, endpoint, or repository and file paths, if you know them.
- Any proof-of-concept code, requests, or screenshots that help.
Please report one issue per email, and give us a reasonable window to fix it before you share it publicly. We don’t run a paid bug-bounty program, but we’re glad to credit you in our release notes if you’d like.
4. What to expect from us
When you report an issue in good faith, we’ll:
- Acknowledge your report within three business days.
- Give you a first status update within ten business days.
- Keep you posted as we investigate, and let you know when the issue is resolved.
- Credit you when we publish the fix, if you want the credit and the details are safe to share.
5. Contact
Reach our security desk at security@diffy.gg. You can also read this policy in machine-readable form (RFC 9116). For anything about how we handle personal data, see our privacy policy.