Security Policy
SendaOne takes security seriously. This page describes how to report a vulnerability, what to expect in terms of response times, the limits of the responsible disclosure program and public acknowledgements of researchers who have contributed.
Reporting a vulnerability
If you have discovered a vulnerability in SendaOne, write to:
If your report contains sensitive information (proof-of-concept exploiting other users' data, leaked credentials, etc.) encrypt the message with the operator's public PGP key available in the repository (pending formal publication — if you need it urgently, request it via plain mail and the operator will respond with the key).
In the report please include:
- Clear and reproducible description of the issue.
- Exact steps to reproduce (curl/HTTPie command, browser, extension, network conditions).
- Observed impact: what data is exposed, what actions can be misused, estimated severity.
- Your name, alias or Twitter/GitHub handle if you wish public acknowledgement.
Program scope
The program covers any vulnerability present in:
- The
sendaone.comdomain and all its subdomains. - The FastAPI application served from the Fly.io backend.
- The optional OAuth flows (Strava, Garmin, Wahoo, Polar, Suunto, COROS) when active.
- The public v1 API served at
/api/v1. - The optional RAG widget, when enabled.
OUT of scope:
- Vulnerabilities in Fly.io, Cloudflare or Google (report directly to their programs).
- Reports based solely on automated scans without proven exploitation.
- SPF/DMARC/DKIM findings on domains other than sendaone.com.
- Reports on third-party libraries without demonstrating an exploitation path in SendaOne.
- Phishing targeted at the operator personally.
Bug bounty
SendaOne does NOT operate a formal bug bounty program with monetary payment at the time of writing this policy. Confirmed findings are rewarded with:
- Public acknowledgement on this page (with your name or alias).
- Detailed response from the operator and the opportunity to review the fix before publication.
- Open and professional communication throughout the process.
If the project grows to a point that justifies a monetary-rewards budget, we will announce it on this page.
Responsible disclosure
We commit to the following process:
- Confirm receipt of the report within 48 business hours.
- Communicate estimated severity and a mitigation plan within 5 business days.
- Deploy the fix to production within a timeframe proportional to severity (critical: days; high: a week; medium/low: up to 30 days).
- Coordinate publication of the advisory with the researcher.
The researcher commits to:
- NOT publicly disclose the vulnerability until the fix has been deployed, up to a maximum of 90 days from initial report.
- NOT exploit the vulnerability beyond what is necessary to demonstrate it.
- NOT access other users' data.
- NOT execute denial-of-service attacks.
A good-faith disclosure following this process will not be subject to legal action by the operator.
Acknowledgements
The operator publicly thanks researchers who have contributed responsible reports. The list is updated with each confirmed fix:
- (No external reports yet. Be the first.)
Security measures already in place
SendaOne already implements, without need for any report:
- Strict CSP policy, HSTS, X-Frame-Options DENY, restrictive Permissions-Policy.
- Per-IP rate limit with IPv6 /64 grouping.
- CSRF Origin/Referer verification on sensitive endpoints.
- XML sanitization with defusedxml (XXE-safe).
- Pydantic SecretStr for credentials in memory.
- Token comparison with secrets.compare_digest (timing-safe).
- Cloudflare with SSL Full Strict, Bot Fight Mode, AOP and WAF.
- Origin Cloaking middleware: rejects direct requests to fly.dev without CF-Connecting-IP header.