How to report
Send your report to support@rekomi.com. Encrypted reports welcome (PGP key on request).
- Steps to reproduce.
- Impact: what an attacker could do.
- Affected component (API endpoint, frontend route, webhook, etc).
- Your handle, if you want public credit.
What's in scope
- rekomi.com and api.rekomi.com.
- Multi-tenant isolation (cross-tenant data access).
- Stripe webhook signature handling, S2S signature handling.
- Authentication and authorization paths.
- API key management and rotation.
- Cookie handling and session management.
- AI co-pilot prompt injection or data exfiltration.
What's out of scope
- Third-party services (Stripe, Clerk, Cloudflare, Anthropic): report to those vendors directly.
- Self-XSS, missing security headers on docs site.
- Findings requiring physical access.
- Social engineering of staff.
Safe harbor
Good-faith research conducted within scope is not subject to legal action or account termination. Do not access another customer's data, do not exfiltrate data, do not disrupt service.
Researcher credit
We publicly credit researchers (with consent) on this page for valid reports. A formal bug bounty program is on the roadmap.