Security & Responsible Disclosure

Covol takes the security of our users — most of whom are minors — seriously. If You discover a vulnerability, this page explains how to report it, what We will do, and what You can expect in return.

1. How to report

Email security@covol.app with:

1. A clear description of the issue.
2. Reproduction steps (URL, request, payload, expected vs. actual behavior).
3. The impact — what an attacker could do with this.
4. Your name (or a handle) so We can credit You if You want.

Please do not open public GitHub issues, post to social media, or otherwise disclose the issue until We’ve had a chance to fix it.

2. Our commitment

• We will acknowledge receipt within 3 business days.
• We will provide a triage assessment within 7 business days.
• We will keep You updated as We work on a fix.
• We will not pursue legal action against You for good-faith security research that follows this policy.
• If You request, We will publicly credit You once the issue is resolved.

3. Disclosure timeline

We follow a 90-day coordinated disclosure window from the date a valid report is acknowledged. Within that window:

• We work with You privately to confirm, fix, and verify the issue.
• For critical issues affecting user data or account integrity, We may patch and deploy within hours and disclose details after the fix is live.
• You may publicly disclose the issue after Day 90, or sooner with Our written agreement.

4. Scope

In scope: https://www.covol.app, https://covol.app, and any official Covol Vercel preview deploys.

Out of scope:

• Third-party services We use (Supabase, Vercel, Resend, Sentry, OpenCage, Upstash) — report directly to them.
• Social-engineering attacks against Covol staff, contractors, or users.
• Physical attacks against Our infrastructure or office.
• Denial-of-service attacks (volumetric or otherwise).
• Self-XSS that requires the victim to paste an attacker-supplied payload into their own browser console.
• Missing security headers without a demonstrated impact (We’re already running a strict CSP — but reports of a real bypass are very welcome).
• Reports from automated scanners without manual verification.

5. Bounty

Covol is a small, free, beta product. We do not currently pay monetary bounties. We can offer:

• Public credit on this page (if You want it).
• A genuine thank-you — security researchers protecting teen data earn karma here that We will eventually find a way to repay.

We may add a paid bounty program once Covol has revenue. If/when that happens, this page will be updated.

6. Encryption

We do not currently publish a PGP key. Email security@covol.app is delivered over TLS. If You need encrypted communication, request a Signal handle in Your initial email and We will respond with one.

7. What We do on Our side

Some of the controls We have in place — not exhaustive, but illustrative of where We’ve invested:

• Row-level security (RLS) on every Postgres table; broad anon policies replaced with narrow SECURITY DEFINER RPCs where public read is required.
• All authentication tokens are HS256-signed and single-use (a jti claim is recorded in consumed_tokens on first use).
• Append-only audit log enforced by BEFORE UPDATE/DELETE triggers.
• Distributed rate limiting via Upstash Redis on every auth endpoint, keyed by both email and IP.
• Strict Content-Security-Policy, HSTS, X-Frame-Options DENY, Permissions-Policy on every route.
• Sentry beforeSend redactor scrubs URLs, breadcrumbs, and paths of tokens, codes, and email addresses before they leave the process.
• Avatar storage bucket is private; reads go through short-lived signed URLs.
• Independent security audits run on every major branch before merge.