Security

Security disclosure policy.

Effective: April 23, 2026 · See also /.well-known/security.txt.

If you've found a security issue in SlotOwl — the browser extension, the cloud backend, the marketing site, or our build pipeline — we want to know. We are a small operation but we take security extremely seriously, both because the product runs inside users' authenticated sessions and because trust is the only meaningful asset we have in this market.

How to report

Email security@slotowl.app with as much detail as you can: a clear description of the issue, the steps to reproduce, the affected URL or extension version, and (ideally) a proof-of-concept exploit. Encrypt with PGP if you prefer; ask for a public key first.

What you can expect from us

• Acknowledgement within 48 hours of your report (usually much faster).
• An initial triage assessment within 7 calendar days — confirming the issue, severity rating, and our planned remediation timeline.
• Public credit if you'd like it (in SECURITY-THANKS.md, posted on this page after launch).
• No legal action against good-faith researchers — see our safe-harbor wording below.

Scope

In scope: any code we ship or operate. Specifically:

• The Chrome extension and (soon) the Safari extension at the IDs published on the Chrome Web Store and Mac App Store.
• Cloud Functions deployed at https://us-central1-slotowl-dev.cloudfunctions.net.
• The marketing site at https://dev.slotowl.app and any subdomains.
• Our Firestore rules, our build/release pipeline, our use of third-party services (Resend, Lemon Squeezy, Cloudflare).

Out of scope: third-party services themselves (report to their security teams), brute-force attempts (we'd notice), social engineering of our staff (don't), DoS / DDoS testing (don't).

Safe harbor

We will not pursue legal action against you for good-faith security research that:

• Stays in scope as defined above.
• Avoids privacy violations (don't access other users' data).
• Does not destroy data or disrupt service for other users.
• Gives us reasonable time (typically 90 days, longer if needed) to fix the issue before public disclosure.

Bug bounty

We do not currently run a paid bug bounty program. We will offer ad-hoc rewards (a free Plus credit bundle — 10 credits — a small thank-you payment, or both) at our discretion for serious findings. We expect to formalize this once the product is past launch and revenue is steady.

Architecture

For background on what data SlotOwl handles and how, see our privacy & architecture page. Most reportable issues fall into one of these categories:

• Firestore rules that allow more than they should.
• Cloud Functions accepting input that bypasses validation.
• Extension code that leaks data to a content script context that shouldn't see it.
• Cross-device push token bypass (someone subscribing to another user's alerts).
• Webhook endpoint signature bypass.

PGP key

Email security@slotowl.app if you'd like our PGP public key for encrypted communication.