Skip to content

Security

Responsible disclosure

We take security seriously. If you’ve found a vulnerability, data-exposure risk, or any issue that could harm our users, thank you — please let us know so we can fix it before anyone gets hurt.

How to report

  • Email [email protected] (preferred), or [email protected] as a fallback.
  • Include: what you found, steps to reproduce, affected URL(s), the impact you think it has, and your preferred handle for the hall of fame.
  • Please give us a reasonable window to patch before public disclosure — we’ll acknowledge within 48 hours and keep you in the loop on progress.

Scope

In scope:

  • namenotifier.com and all subdomains we control
  • The public API (/api/v1/*)
  • Any code in the JoeyAwwad/domainwatcher repo that runs in production

Out of scope:

  • Denial-of-service and volumetric attacks (please don’t)
  • Social engineering against our team or users
  • Physical attacks on our infrastructure
  • Third-party services (Stripe, Resend, Cloudflare, Telegram) — report to them directly
  • Spam or abuse from other users (use the in-app report flow)

Safe harbor

We won’t pursue legal action against researchers acting in good faith within this policy. Please don’t access user data beyond what’s necessary to prove the issue, and delete anything you do access as soon as you’ve captured the proof.

Hall of fame

Researchers who’ve responsibly disclosed issues to us are listed here with their permission. (Be the first.)

Our commitments

  • Acknowledge within 48 hours
  • Patch critical bugs within 7 days, others within 30 days
  • Credit you publicly (with your consent)
  • Never threaten or pursue legal action against good-faith reporters

This policy is mirrored at /.well-known/security.txt. Last updated: 2026-04-21.