How to report a vulnerability

If you believe you have found a security issue in Routescore — the app, the API, a scanner, or any public methodology — email [email protected]. We acknowledge reports within 24 hours.

Scope

routescore.io (production app)
qa.routescore.io (staging environment)
snapshots.routescore.io (data CDN)
github.com/jomn-intel/* (open-source detector + methodology)

Out of scope

Findings against test environments or third-party services (Vercel, Cloudflare, etc.)
Social-engineering attacks against our team
Physical attacks against our offices
Brute-force / volumetric attacks (DDoS)
Findings derived from automated scanning without further analysis

Safe-harbor

We will not pursue legal action against good-faith researchers who:

follow this policy and email us before disclosing;
do not access, modify, or delete user data;
give us a reasonable time to remediate before publication.

Rewards

We do not yet operate a formal bug-bounty program. We do acknowledge meaningful findings publicly (with researcher consent) and may offer discretionary rewards for critical issues.

Encrypted reports

For sensitive reports, email [email protected]and request a temporary encrypted handoff. A public PGP key will be published after the security mailbox and key custody process are finalized.