Skip to content
Pastepile

Security & Responsible Disclosure

We appreciate reports from security researchers and the wider community.

Reporting a vulnerability

Email security@pastepile.com with details. Please give us a reasonable window to investigate and fix the issue before any public disclosure.

What to include

  • A clear description of the issue and its impact.
  • Step-by-step reproduction (URLs, payloads, requests).
  • Affected endpoints or pages.
  • Your contact info if you would like credit.

Scope

In scope:

  • pastepile.com and its public API.
  • Authentication, authorization, and rate-limit bypasses.
  • XSS, CSRF, SSRF, injection, and similar web vulnerabilities.
  • Issues that let one user read or modify another user's paste they should not have access to.

Out of scope:

  • Reports from automated scanners without a working proof of concept.
  • Missing security headers without a demonstrated impact.
  • Denial-of-service through volumetric attacks.
  • Social-engineering of staff or users.
  • Issues in third-party services (Cloudflare, Supabase) - report those upstream.

Safe harbor

If you make a good-faith effort to comply with this policy, do not access or modify other users' data, avoid privacy violations and service degradation, and give us reasonable time to respond, we will not pursue legal action against you for your research.

Our security posture

  • Optional end-to-end encryption (AES-GCM in the browser; key in URL fragment).
  • Edit keys, passwords, and API keys are stored only as SHA-256 hashes.
  • Database access is locked down with row-level security; tables are reachable only through reviewed RPCs.
  • Short-lived rate limits on write paths, pruned daily.