responsible disclosure

Security

ripper moves money, so security is not optional. If you have found a vulnerability in ripper, we want to hear from you. This page explains how to report it, what is in scope, and the commitments we make to researchers who disclose responsibly.

How to report

  1. 01

    Email the security team

    Send the details to security@ripper.dev. Include a clear description, reproduction steps, affected URLs or endpoints, and the impact you believe the issue has.

  2. 02

    Encrypt anything sensitive

    For reports containing sensitive data, please encrypt them with our PGP public key: /.well-known/pgp-key.txt. Our machine-readable contact record lives at /.well-known/security.txt.

  3. 03

    Give us time to respond

    We aim to acknowledge every report promptly and to keep you updated as we investigate and remediate, coordinating the disclosure timeline with you.

Scope

In scope

  • ripper.dev and its public subdomains
  • The ripper API and hosted payment surfaces
  • Authentication, authorisation, and tenant-isolation flaws
  • Exposure of card data, credentials, or personal data

Out of scope

  • Denial-of-service and volumetric attacks
  • Social engineering of staff or customers
  • Reports from automated scanners with no proven impact
  • Missing best-practice headers with no demonstrable risk

When in doubt, report it and let us decide. Never access, modify, or delete data that is not yours, and never degrade the service for others while testing.

Coordinated disclosure

We practise coordinated disclosure on a 90-day timeline. Once you report an issue we will confirm receipt, work with you to validate it, and remediate as quickly as we responsibly can. We ask that you keep the details private until a fix is deployed or until 90 days have elapsed from your report, whichever comes first. If a fix needs longer than the 90-day window, we will tell you and agree an extension together rather than let the deadline pass in silence.

Safe harbour

We will not pursue or support legal action against researchers who act in good faith under this policy. If you make a genuine effort to follow these guidelines — stay within scope, avoid privacy violations and service disruption, and give us a reasonable chance to fix the issue before going public — we consider your research authorised under our safe harbour and will treat it as such. This safe harbour does not extend to actions that break the law independently of your testing.

Hall of fame

We publicly credit researchers who report valid, in-scope vulnerabilities and help us keep ripper safe. With your permission we will list your name or handle here as a thank you.

No researchers listed yet — be the first. Report a valid issue to security@ripper.dev and, with your consent, we will add you to this hall of fame.