Security

Responsible Disclosure Policy

Last updated: May 23, 2026

Thank you for helping keep CornholeBoards.us and our users secure. We welcome reports from independent security researchers and commit to working with you to verify, reproduce, and remediate any vulnerability you identify.

How to report

Send vulnerability reports to contact@tuxxin.com with the subject prefix [Security], or use our contact form.

For machine-discoverable info, see /.well-known/security.txt (RFC 9116).

What to include

• Clear description of the vulnerability and its impact.
• Step-by-step reproduction (HTTP requests, sample payloads, screenshots).
• Affected URL(s) or endpoint(s).
• Your name or handle for credit (if you want to be credited).
• Proof-of-concept code if available — please do not include actual user data, only synthetic/test data.

Our response

• Acknowledgement within 3 business days.
• Triage and severity assessment within 7 business days.
• Patch deployment targeted within 30 days for critical/high, 90 days for medium, 180 days for low.
• Public credit in our security acknowledgments (with your permission) after the fix is released.

Scope

In scope:

• cornholeboards.us and all subdomains we own (e.g. cdn.cornholeboards.us).
• Web application vulnerabilities (XSS, CSRF, SQL injection, IDOR, SSRF, RCE, auth bypass, etc.).
• Data exposure (PII, payment data, credentials in responses).
• Logic flaws in the Designer credit/quota system or PayPal subscription flow.
• Cookie/session-management issues.

Out of scope:

• Third-party services we use (PayPal, Google AdSense, MailerSend, Cloudflare, Iconify). Report directly to the vendor.
• Theoretical vulnerabilities without a demonstrated impact (e.g., "missing HTTP header" without an exploitable case).
• Bugs in browsers, plugins, or operating systems.
• Issues that require physical access to a user’s device.
• Social-engineering, phishing of staff, or anything requiring user interaction beyond clicking a link.
• Denial-of-service tests — please do not actively DoS the site to demonstrate vulnerability.
• Open redirect on URL parameters that have an explicit warning interstitial (we don’t have any, but this is the standard scope language).
• Self-XSS (requires the victim to paste payload into devtools).
• SPF/DKIM/DMARC misconfigurations — we’ll work on those but they’re low priority.
• Reports generated automatically by scanners without manual verification.

Safe harbor

We will not pursue legal action against you for any good-faith vulnerability research that:

• Follows this policy.
• Stays within the in-scope list above.
• Avoids accessing, modifying, exfiltrating, or destroying user data beyond what is strictly necessary to demonstrate the vulnerability.
• Does not disrupt service availability.
• Notifies us promptly and gives us a reasonable window to remediate before public disclosure.

Bounty

We do not currently run a paid bounty program, but we offer public acknowledgment, a thank-you swag pack of branded cornhole bags (when the merch store opens), and priority response on any future bounty program we launch.

PGP

No PGP key is published yet. If you need encrypted communication, email us and we’ll exchange keys directly.

See also: Privacy Policy · Terms of Service