Security

Coordinated vulnerability disclosure.

If you've found a vulnerability in StackFill — the apex site, the /v1 API, the embed widget, the renderer container, or any other StackFill-hosted surface — please reach out before disclosing publicly. We take all reports seriously and respond quickly.

How to report

Email security@stackfill.com. Please include:

  • A clear description of the issue and the impact you observed.
  • Steps to reproduce — exact URLs, request payloads, account context where relevant.
  • Whether you accessed any data you didn't own, and what you did with it.
  • Your preferred contact channel and whether you'd like public credit.

Encrypt sensitive reports if you'd like — request our PGP key in your first email and we'll send it back.

Response timeline

  • Within 2 business days — initial acknowledgement.
  • Within 5 business days — triage outcome (confirmed, duplicate, out of scope, or needs more info).
  • Within 30 days for high-severity issues — fix shipped or a remediation plan with timeline.

Scope

In scope:

  • stackfill.com, api.stackfill.com, embed.stackfill.com, and cdn.stackfill.com.
  • The /v1 REST API.
  • The browser embed widget and storefront integration surfaces.
  • The Ghostscript renderer container.
  • The platform admin dashboard at /admin.

Out of scope:

  • Findings that depend on browser bugs, plugins, or stale-cache state we can't reproduce on a current Chromium build.
  • Self-XSS that requires the victim to paste attacker-controlled content into DevTools.
  • Missing security headers or rate-limit thresholds without a concrete impact case.
  • Volumetric DoS, brute-force, or social-engineering attacks.
  • Demo workspaces created via /demo/ — these are isolated, time-boxed, and treated as testing surfaces, not production data.
  • Third-party services we depend on (Cloudflare Pages, D1, R2, KV, Stripe, Mailgun, Fly.io). Report those directly to the vendor.

Safe harbor

If you make a good-faith effort to comply with this policy during your security research, we will not pursue or support legal action against you. Acting in good faith means:

  • Not accessing, modifying, or exfiltrating data that doesn't belong to you beyond what's necessary to demonstrate the issue.
  • Not degrading service availability for other users.
  • Not publicly disclosing the issue until we've agreed on a coordinated timeline.

Acknowledgements

Researchers who responsibly disclose qualifying issues are credited here with their consent. The list is empty today — we'd be glad to add you to it.

Last updated 2026-05-24. The machine-readable contact for security researchers is at /.well-known/security.txt.