Surplus logo
Surplus Docsby Sharing Excess

Vulnerability disclosure

We take the security of Surplus and the data of the communities it serves seriously. If you believe you've found a security vulnerability, we want to hear about it — and we appreciate the work of researchers who disclose responsibly.

Please do

  • Report privately. Contact the Sharing Excess team directly (see the contact below). Do not open a public GitHub issue, pull request, or discussion for a security report.
  • Give us details. Include the affected area, the steps to reproduce, the impact you believe it has, and any supporting material (requests, screenshots, a proof-of-concept). The clearer the report, the faster we can act.
  • Give us reasonable time to investigate and remediate before any public disclosure.

Please don't

  • Access, modify, or delete data that isn't yours.
  • Run attacks that could degrade the service for others (for example, denial-of-service or large-scale automated scanning).
  • Use social engineering, phishing, or physical attacks against staff or partners.

What to expect

When you report responsibly and in good faith, we will acknowledge your report, investigate, keep you updated on remediation, and credit you if you'd like once the issue is resolved. We consider good-faith research conducted within these guidelines to be authorized and will not pursue action against it.

Scope

In scope is the Surplus platform: the web application, the API, and their supporting infrastructure. The underlying managed providers (Neon, Upstash, Tigris, Stripe, Resend, Railway, Apitally, Sentry) have their own disclosure programs — please report issues specific to those providers to them directly.

Reporting contact

Report security issues to tech@sharingexcess.com. Include enough detail to reproduce the issue; avoid sending live credentials or large exports of production data in the initial email — we can arrange a secure channel if needed.

Dependencies & supply chain

How third-party code is managed, pinned, and kept consistent.

On this page

Vulnerability disclosurePlease doPlease don'tWhat to expectScopeReporting contactRelated