Security & Responsible Disclosure

Reporting a vulnerability

Email security@offlinedocs.ai with enough detail to reproduce the issue: the affected URL or endpoint, the steps you took, and the impact you observed. Proof-of- concept code or screenshots help us triage faster.

We aim to acknowledge reports within a few business days. Please give us a reasonable chance to investigate and fix an issue before disclosing it publicly.

Scope

In scope

• The Offlinedocs.ai web application and its API.

Out of scope

• Third-party services we build on (e.g. Supabase, Stripe, Shopify, our email provider) — please report those to the respective vendor.
• Denial-of-service, volumetric, or spam attacks; anything that degrades service for other users.
• Social engineering of our staff, users, or contractors.
• Automated scanning that generates significant traffic, and any testing that accesses or alters data belonging to accounts other than your own test account.

Safe harbor

We will not pursue legal action against, or report to law enforcement, anyone who reports a vulnerability in good faith and in accordance with this policy — meaning you avoid privacy violations, data destruction, and service degradation, you only interact with accounts you own or have explicit permission to test, and you give us a reasonable time to remediate before public disclosure. This policy is offered by Kelm Software Technologies L.L.C-FZ, which operates Offlinedocs.ai.

Rewards

We do not currently offer monetary rewards. This is a coordinated disclosure program, not a paid bug bounty. We're happy to publicly credit researchers who report in good faith and follow this policy.