Vulnerability Disclosure Guidelines

We value the security research community and the importance of coordinated vulnerability disclosure. If you've found a security vulnerability in CinderPaste, please let us know — we welcome the chance to work with you to resolve it promptly.

Our program is covered by Coordinated Vulnerability Disclosure, Safe Harbor, Open Scope, Core Ineligible Findings, and Detailed Platform Standards.

In scope

• The CinderPaste web application at https://cinderpaste.xyz

Accepted by design — please don't report these

• Pastes are not end-to-end encrypted; the operator can read stored content. "Private" means password-gated, not zero-knowledge.
• Private-paste metadata (language, timestamps) is visible to anyone holding the paste's unguessable ID.
• The service scales to zero when idle and may cold-start on the first request.

Out of scope

• The underlying Fly.io hosting platform/infrastructure — we don't own it and can't authorize testing on it.
• Denial-of-service, volumetric, or rate-limit-exhaustion attacks.
• Social engineering of the operator or any third party.
• Attacks on accounts, email, or systems outside the application itself.
• Physical attacks.

How to report

Email security@cinderpaste.xyz with details and clear reproduction steps. We aim to acknowledge reports quickly — usually within a day.

Thank you for helping keep CinderPaste secure.