Security & Responsible Disclosure

Reporting contact

Send security reports to security@sota.io. We acknowledge new reports within 2 business days and aim to provide a substantive response within 5 business days.

Machine-readable contact info follows RFC 9116 security.txt.

In scope

• sota.io — landing page + user dashboard
• api.sota.io — public REST API
• mcp.sota.io — MCP server with OAuth 2.1 + DCR
• admin.sota.io — internal admin (limited access)
• auth.sota.io — OAuth / OTP authentication
• The @sota-io/sdk and @sota-io/mcp npm packages
• The sota CLI from github.com/sota-deploy/cli

Out of scope

• Customer apps deployed on the platform (report the customer instead; we'll forward where appropriate).
• Social-engineering, physical attacks against staff or infrastructure providers.
• Denial-of-service tests against shared infrastructure (worker-01, edge-01). DoS findings via traffic analysis are welcome; please do not actually run the attack.
• Findings that require an already-compromised user account or physical device.
• Missing security headers / cookie flags without a concrete impact path.
• Third-party services we use (Supabase, Hetzner, Stripe, Resend, Google Workspace). Report those to the vendor directly.

Rules of engagement

• Do not access or modify data belonging to other users.
• Use the Free tier or your own paid account for testing. Provision dedicated test accounts; do not target existing customers.
• If a finding requires destructive proof, stop at the smallest proof-of-concept and contact us before going further.
• Give us reasonable time to remediate before public disclosure. We coordinate on a timeline together; the default is 90 days.
• We do not currently run a paid bounty programme, but we publicly credit researchers (with consent) once a fix ships.

Other contacts