Find something? Tell us.

We don't punish researchers. If you find a security issue, we want to hear about it, fix it, and credit you.

What to include

• The affected URL, endpoint, or build.
• Repro steps. A short video or HAR file helps.
• Impact — what an attacker could do.
• Your name and how you'd like to be credited (or not).

What's in scope

• felarity.com, app.felarity.com, api.felarity.com, docs.felarity.com, status.felarity.com.
• Our server-side code paths and the public API.
• Our cryptographic attestation chain and the public verifier.
• Authentication, session, and authorization mechanisms.

What's out of scope

• Vulnerabilities in third-party infrastructure we don't operate (Stripe, Google, Cloudflare, etc.) — report those to the vendor.
• Social engineering of staff.
• Volumetric DDoS.
• Physical attacks on our facilities.
• Self-XSS or issues requiring an already-compromised browser.
• Findings from automated scanners with no demonstrated exploitability.
• Internal LAN hosts (e.g., whisper1, whisper2, whisper3) — not reachable from the public internet.

Rules of engagement (safe harbor)

If you act in good faith and follow these rules, we will not pursue civil or criminal action against you and we will work with you in good faith on disclosure.

• Do not access or modify data that doesn't belong to you. If you accidentally see customer data, stop, delete it, and tell us.
• Do not degrade or disrupt the service for other users.
• Do not run tests against accounts you don't own without our written permission.
• Do not publish findings until we've had a reasonable chance to fix them.

Hall of thanks

Once we have valid disclosures to credit, this page will list them by name (or handle, if you prefer). We don't currently run a paid bounty program — we do offer swag and a public acknowledgement, and we treat researchers as the colleagues they are.

If you're stuck

For non-security issues, contact hello@felarity.com. For abuse, abuse@felarity.com. For legal, legal@felarity.com.