Security & responsible disclosure

Reporting a vulnerability

We welcome reports from the security community. If you believe you've found a security issue, email hello@webatla.com with steps to reproduce, affected URLs, and any proof-of-concept. We aim to acknowledge reports within 3 business days and to keep you updated through remediation. Please give us a reasonable window to fix the issue before any public disclosure.

Scope

• In scope: webatla.com, the public API under /api, and our origin infrastructure.
• Out of scope: volumetric DoS/DDoS, social engineering, physical attacks, and issues in third-party services we use (Cloudflare, Stripe, Brevo, Tawk.to). Automated scanner output without a working proof-of-concept is not actionable.

Safe harbor

We will not pursue or support legal action against researchers acting in good faith who follow this policy, avoid privacy violations and service disruption, and do not access or modify data that isn't their own.

How we protect your data

• HTTPS everywhere with HSTS, behind Cloudflare (WAF + DDoS protection); the origin is locked to Cloudflare.
• Passwords hashed with bcrypt; optional two-factor authentication (TOTP), with the TOTP secret encrypted at rest.
• We never store card data — payments are processed by Stripe (PCI-DSS); crypto via PayerURL.
• Strict Content-Security-Policy with per-request nonces, same-origin CSRF protection, and rate limiting on sensitive endpoints.
• Secrets are kept in the environment (not in code), with least-privilege access, and we run regular security reviews.

security.txt

Machine-readable contact details are published per RFC 9116 at /.well-known/security.txt.