Security and Responsible Disclosure

BrainLoot runs on Google Cloud (authentication, database, file storage, server-side compute, and hosting) and Stripe. We apply defence in depth: per-user and per-guild database and storage security rules, server-side ownership and admin checks on every callable, App Check / reCAPTCHA Enterprise attestation on sensitive routes, rate limiting, encryption in transit (TLS) and at rest (Google Cloud default encryption), audit and security event logging, least-privilege service accounts, and email-verification gating for paid surfaces. Where credible reports of a vulnerability arise, we patch quickly and communicate clearly.

If you believe you have found a security issue affecting BrainLoot, please email security@brainloot.app with:

• a clear description of the issue and the impact;
• steps to reproduce, ideally with a minimal proof of concept;
• the date and time you observed the issue (with timezone);
• any account or workspace identifiers used during testing;
• your name and how you would like to be credited (or that you prefer to remain anonymous).

For sensitive reports, you may PGP-encrypt your email — request the public key in your initial message and we will reply with it.

• Acknowledgement: within 2 UK business days of receipt.
• Triage and severity classification: within 5 UK business days.
• Fix or mitigation: we aim to remediate critical/high severity issues within 30 calendar days and lower-severity issues within 90 calendar days. We will keep you updated.
• Public disclosure: coordinated. We ask for 90 days from acknowledgement before public disclosure (or shorter if the issue is already public or actively exploited).

If your testing follows this policy, we will not pursue legal action against you for good-faith research. To stay within safe harbour you must:

• only test with accounts you own or have explicit permission to test;
• avoid accessing, modifying, or destroying data that does not belong to you;
• stop testing as soon as you have a proof of concept and report responsibly;
• respect users’ privacy and the availability of the service (no DoS, no automated brute-force);
• delete any non-public data obtained during testing as soon as you have reported it.

• The BrainLoot web application at https://brainloot.io and supported subdomains.
• The BrainLoot server-side API endpoints exposed by the web app.
• Database and cloud storage security rules deployed by BrainLoot.
• The BrainLoot authentication and authorization logic (sign-in, email verification, App Check).

• Issues in third-party services we depend on (report to that provider — Google Cloud, Stripe, Brevo, etc.).
• Volumetric or denial-of-service attacks, traffic flooding, or rate-limit testing.
• Social engineering of BrainLoot staff or users, physical attacks, and phishing.
• Vulnerabilities only exploitable on outdated, end-of-life, or rooted/jailbroken client devices.
• Reports relying solely on missing best-practice headers without a demonstrable security impact.
• Self-XSS, missing rate limits without impact, or clickjacking on pages without sensitive actions.

We do not currently run a paid bug bounty programme. We are happy to publicly credit good-faith researchers on this page (with your permission) and to provide a written acknowledgement that you can reference.

See the Privacy Notice for our wider data-handling commitments and the Terms of Service for acceptable use.