Our Commitment
What we promise to you
If you report a security vulnerability to us in good faith, we commit to:
- Acknowledge your report within 48 hours — you will hear back from us, not silence
- Keep you informed of our progress — we will update you as we investigate and fix the issue
- Not take legal action against you — good-faith security research is welcome here
- Credit you publicly — if you choose, we will acknowledge your contribution on this page
- Fix it — we will address valid vulnerabilities as quickly as our resources allow
We are a small team. We do not have a dedicated security department. But we take this seriously and we will respond.
Scope
What's in scope and what's not
In Scope — Report These
Authentication bypass or account takeover
SQL injection or database exposure
Cross-site scripting (XSS)
CSRF vulnerabilities
Sensitive data exposure
Server-side request forgery (SSRF)
API key or credential exposure
Unauthorized access to user data
Screen/camera/voice data leakage
Out of Scope — Please Don't
Denial of service (DoS/DDoS) attacks
Social engineering of our team
Physical attacks on infrastructure
Spam or phishing campaigns
Vulnerabilities in third-party services (OpenAI, Stripe, etc.)
Issues requiring unlikely user interaction
Automated scanning without prior notice
Submit a Report
Report a vulnerability
✓ Report received. We will acknowledge it within 48 hours. Thank you for helping make SightCoach™ more secure.
Hall of Thanks
Acknowledged contributors
No reports have been received yet. Be the first to find something and we will list you here — with your permission.