Security
Responsible Disclosure
We take customer trust seriously. If you believe you have found a security vulnerability in any Park Bench Publishing service, please report it privately so we can investigate and remediate before details become public.
How to report
- Email security@parkbenchpublishing.comwith a clear description of the issue and reproduction steps.
- See our /.well-known/security.txt for current contact information.
- Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate (we aim to acknowledge within 3 business days and resolve within 90 days).
What is in scope
- parkbenchpublishing.com and all subdomains we operate.
- Our Cloudflare Workers backend and Supabase data layer (data exposure, authentication bypass, injection, IDOR).
- Our Stripe and Lulu webhook integration.
What is out of scope
- Vulnerabilities in third-party services we depend on (Cloudflare, Supabase, Stripe, Lulu, Resend) \u2014 please report those to the vendor directly.
- Reports that require physical access, social engineering of our staff, or denial-of-service attacks against our infrastructure.
- Best-practice findings that do not represent a real exploitable risk (e.g. missing security headers without a demonstrable impact).
Safe-harbor
We will not pursue legal action against researchers who act in good faith, follow this policy, do not access more data than is necessary to demonstrate the issue, and give us reasonable time to remediate before disclosure.
Acknowledgments
We are grateful to security researchers who have helped us improve. Names will be listed here (with permission) after disclosure.