Security & vulnerability disclosure
Thank you for helping keep Leagify secure. This page explains how to report a vulnerability and what to expect when you do.
Reporting a vulnerability
Please don’t open a public GitHub issue. Use one of these private channels instead:
- Preferred — GitHub private vulnerability reporting:open the repository’s Security tab and choose Report a vulnerability.
- Email: security@leagify.co.uk. Include the impact, steps to reproduce (or a proof of concept), the affected version (commit SHA or release tag), and how to contact you. Request our PGP key in your first message if you need encryption.
What to expect
| Phase | Timeline (target) |
|---|---|
| Initial acknowledgement | within 48 hours |
| Triage + severity assessment | within 5 working days |
| Fix in production for High/Critical | within 30 days |
| Public disclosure (after fix) | within 90 days of report, coordinated with you |
We don’t run a paid bug-bounty programme today, but we credit reporters in release notes (with your consent) and will discuss a reward for High/Critical findings on a case-by-case basis.
Scope
In scope:
- The web application at
leagify.co.ukand*.leagify.co.uk - The API endpoints under
/api/* - Infrastructure we operate (our AWS and Supabase configuration)
Out of scope — please don’t test these:
- Third-party services (AWS, Supabase, Stripe, Mux, Sentry, PostHog) — report those to the vendor directly.
- Denial-of-service testing against production. We’re happy to coordinate load testing against staging.
- Social engineering, and physical attacks against people or facilities.
Safe harbour
We will not pursue or support legal action against researchers who make a good-faith effort to avoid privacy violations, data destruction, and service interruption; access only the data needed to demonstrate the issue; and give us reasonable time to fix it before public disclosure.