Vulnerability Disclosure Policy

Last updated: 07.03.2026

Introduction

[ MECANIK DEV ] takes the security of its systems and services seriously. We value the work of security researchers who help us improve our security posture.

This policy describes how to report vulnerabilities to us and what you can expect in return.

Scope

This policy applies to the following domains and services:

  • mecanik.dev
  • members.mecanik.dev
  • api.mecanik.dev

Reporting a Vulnerability

If you believe you have found a security vulnerability in any of our systems, please report it to us by emailing:

[email protected]

Please include the following in your report:

  • A description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability
  • Any proof-of-concept code, if available

What to Expect

  • Acknowledgement: We will acknowledge receipt of your report within 3 business days.
  • Assessment: We will investigate and validate the reported vulnerability.
  • Updates: We will keep you informed of our progress.
  • Resolution: We aim to resolve critical vulnerabilities as quickly as possible.
  • Recognition: With your permission, we will acknowledge your contribution on our Security Acknowledgements page.

Guidelines

We ask that security researchers:

  • Make every effort to avoid privacy violations, data destruction, and service disruption.
  • Only interact with accounts you own or with explicit permission of the account holder.
  • Do not exploit a vulnerability beyond what is necessary to demonstrate it.
  • Report vulnerabilities promptly and provide us reasonable time to address them before disclosing publicly.
  • Do not engage in social engineering, phishing, or physical attacks against our personnel or infrastructure.

Safe Harbour

We consider security research conducted in accordance with this policy to be:

  • Authorised under applicable anti-hacking laws.
  • Exempt from DMCA restrictions on circumvention of technology controls.

We will not pursue legal action against researchers who comply with this policy.

Exclusions

The following are not in scope:

  • Denial-of-service attacks
  • Social engineering attacks
  • Physical attacks
  • Spam or phishing campaigns
  • Vulnerabilities in third-party software or services not under our control