We take security seriously and welcome reports from the security community. This page tells you how to reach us, what's in scope, and what you can expect in return.
How to report
Email security [at] crumble [dot] me with:
- A clear description of the issue and its impact.
- Steps to reproduce, including any test accounts you used.
- Where possible, a proof-of-concept (cURL, screenshot, short script).
- Your contact details and (optional) name for credit.
Sensitive reports can be encrypted with our PGP key.
Fingerprint: TBD-pgp-fingerprint-pending. The published key will be available at /.well-known/security.txt when finalised. If you need it before then, ask in your
first email and we will send it.
Response SLA
- Initial acknowledgement: within 3 business days.
- Triage and severity assignment: within 7 business days.
- Status updates: at least every 14 days while the issue is open.
- Fix target: critical issues within 7 days; high within 30 days; lower-severity issues at the next scheduled release.
Scope
In scope:
crumble.meonly — the production web app and any official Crumble API endpoints under/api/.
Out of scope:
- Preview / staging deployments (e.g.
*.crumbleme.pages.dev) — these may run unreviewed code on purpose. - Third-party services we depend on (Cloudflare, Google, Foursquare, OpenStreetMap). Report directly to them.
- Findings only reproducible on outdated browsers or rooted/jailbroken devices.
- Self-XSS, missing best-practice headers without demonstrable impact, missing rate limits without demonstrable impact, or click-jacking on pages with no sensitive actions.
- Volumetric attacks (DoS/DDoS), social engineering of staff or users, physical attacks.
- Reports generated solely by automated scanners with no validated impact.
Safe harbour
If you make a good-faith effort to comply with this policy, we will not pursue or support any legal action against you for your research. Specifically, we agree that your activity is authorised under the Dutch Computer Crime Act (Wet Computercriminaliteit) and the EU Cybersecurity Act, and we will work with you if a third party (hosting provider, law enforcement) raises concerns.
To stay within safe harbour you must:
- Avoid privacy violations, destruction of data, and interruption or degradation of the service.
- Test only against accounts you own or have explicit permission to test.
- Stop testing as soon as a vulnerability is confirmed and immediately report it.
- Give us a reasonable time to remediate before any public disclosure (we suggest 90 days, or earlier by mutual agreement).
Recognition (no bug-bounty payouts)
Crumble does not pay bug bounties. The app earns very little revenue at the moment, so we cannot offer cash rewards for valid reports. Please do not submit reports expecting payment.
What we can offer: a public thank-you on our security page (with your permission) once the issue is fixed, and — if circumstances allow — Crumble Plus credit or merchandise as a token of appreciation.