Security
Coordinated vulnerability disclosure.
If you've found a vulnerability in StackFill — the apex site, the /v1 API, the embed widget, the renderer container, or any other StackFill-hosted surface — please reach out before disclosing publicly. We take all reports seriously and respond quickly.
How to report
Email security@stackfill.com. Please include:
- A clear description of the issue and the impact you observed.
- Steps to reproduce — exact URLs, request payloads, account context where relevant.
- Whether you accessed any data you didn't own, and what you did with it.
- Your preferred contact channel and whether you'd like public credit.
Encrypt sensitive reports if you'd like — request our PGP key in your first email and we'll send it back.
Response timeline
- Within 2 business days — initial acknowledgement.
- Within 5 business days — triage outcome (confirmed, duplicate, out of scope, or needs more info).
- Within 30 days for high-severity issues — fix shipped or a remediation plan with timeline.
Scope
In scope:
stackfill.com,api.stackfill.com,embed.stackfill.com, andcdn.stackfill.com.- The
/v1REST API. - The browser embed widget and storefront integration surfaces.
- The Ghostscript renderer container.
- The platform admin dashboard at
/admin.
Out of scope:
- Findings that depend on browser bugs, plugins, or stale-cache state we can't reproduce on a current Chromium build.
- Self-XSS that requires the victim to paste attacker-controlled content into DevTools.
- Missing security headers or rate-limit thresholds without a concrete impact case.
- Volumetric DoS, brute-force, or social-engineering attacks.
- Demo workspaces created via
/demo/— these are isolated, time-boxed, and treated as testing surfaces, not production data. - Third-party services we depend on (Cloudflare Pages, D1, R2, KV, Stripe, Mailgun, Fly.io). Report those directly to the vendor.
Safe harbor
If you make a good-faith effort to comply with this policy during your security research, we will not pursue or support legal action against you. Acting in good faith means:
- Not accessing, modifying, or exfiltrating data that doesn't belong to you beyond what's necessary to demonstrate the issue.
- Not degrading service availability for other users.
- Not publicly disclosing the issue until we've agreed on a coordinated timeline.
Acknowledgements
Researchers who responsibly disclose qualifying issues are credited here with their consent. The list is empty today — we'd be glad to add you to it.
Last updated 2026-05-24. The machine-readable contact for security researchers is at /.well-known/security.txt.