Security
Vulnerability disclosure
If you've found a security issue in the ShotSelect Mac app or in the website + worker fleet that backs it, please report it privately to the contact below. We respond within 72 hours and credit researchers in our changelog when they ask to be credited.
tl;dr. Email [email protected] with a clear repro. Don't publish until we've shipped a fix. We don't pay bounties yet, but we will credit you (with your permission) and reply fast.
In scope
- The ShotSelect Mac app — Electron main, IPC handlers, preload bridge, auto-update flow, license validation, XMP write path
shotselect.appand*.shotselect.app- Pages Functions:
/api/beta-key,/api/latest,/api/social-proof,/api/windows-interest - Cloudflare Workers:
shotselect-telemetry,shotselect-dashboard,shotselect-dl - R2 release artifacts (
shotselect-releases) — chain-of-trust, bucket permissions, signing
Out of scope
- Reports from automated scanners with no proof-of-concept
- Self-inflicted issues (running a custom build, modifying the installed app)
- Issues in upstream Electron, Chromium, Node.js, or third-party native modules — please report those upstream first; we'll backport fixes
- Cloudflare or Resend infrastructure — report to those vendors directly
- Theoretical attacks without exploitability
- Social engineering of the developer or end users
- Physical attacks against a user's Mac
How to report
Email [email protected] with:
- A clear description of the issue and its impact
- A minimal proof-of-concept (script, video, or steps)
- The app version (Settings → About) or the worker URL you tested against
- Whether you'd like to be credited and under what name / handle
If you need to send sensitive details, mention that in the first email and we'll arrange a Signal channel or PGP key.
What we promise
- Acknowledge in 72 hours. Even if we can't fix immediately, we'll confirm we received your report.
- Triage in 7 days. Severity, scope, and an ETA.
- Patch and disclose. Critical issues get a same-week patch and an entry in the changelog. Lower-severity issues get rolled into the next regular release.
- Credit you. If you'd like to be credited, we'll mention you in the changelog entry that ships the fix.
- Don't pursue. We won't take legal action against good-faith research that follows this policy.
Safe-harbor and rules of engagement
- Test only against accounts and data that you own or have explicit permission to access
- Don't degrade service for other users — no DDoS, no flooding, no bulk scraping
- Don't access, modify, or destroy other people's data; if you accidentally see something you shouldn't, stop and tell us
- Give us a reasonable time to fix before public disclosure (90 days default; faster for critical, slower for complex)
- Don't extort. We can't pay bounties yet — if money is what you want, this isn't the program for you
Recognized researchers
None yet — this policy launched on 9 May 2026. Submit the first eligible report and you'll be the first name here.
Machine-readable contact: /.well-known/security.txt