Skip to main content

Security and responsible disclosure

If you believe you have found a security issue in ClaudeLab — the web app, the mobile app once published, the Supabase backend, or this codebase — I want to hear from you privately first.

How to report

Email security@claudelab.me. Please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce, including any required configuration
  • Affected version or commit, if known
  • Your contact details so we can follow up

Do not open a public GitHub issue, post on social media, or otherwise disclose the issue until we have had a reasonable opportunity to investigate and respond.

What to expect

  • Acknowledgement within 3 business days
  • Initial triage within 7 business days
  • Target remediation within 30 days for confirmed vulnerabilities, prioritized by severity
  • Credit in the release notes once the patch ships, if you want it

ClaudeLab does not currently run a paid bug-bounty program, but we appreciate responsible disclosure and work with reporters in good faith.

In scope

  • The web app at https://claudelab.me
  • The Supabase project that backs the app — edge functions, database, auth
  • The mobile app once published to the App Store / Play Store
  • Source code in the public repository

Out of scope

  • Denial-of-service attacks or stress testing
  • Findings that require physical access to a victim's device
  • Issues in third-party dependencies that are not exploitable through ClaudeLab
  • Social-engineering attacks against ClaudeLab staff or users

Safe harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, or service disruption
  • Only access data that belongs to their own test account
  • Give us a reasonable time to respond before public disclosure

Why timing-safe matters

Some endpoints — password reset, email lookups, the public profile fetch — are written to take roughly the same amount of time whether the underlying record exists or not. That is deliberate: it prevents a remote attacker from using response timing to enumerate accounts. If you discover an endpoint that leaks existence through timing, please report it.

Thank you for helping keep ClaudeLab and its users safe.