Responsible disclosure

Helm handles your brand data, OAuth tokens, and access to your social platforms. We take security seriously and depend on responsible researchers to keep us honest.

Reporting a vulnerability

Email security@trythelm.com with:

• A clear description of the issue
• Steps to reproduce, or a minimal proof-of-concept
• Affected URL(s) or endpoint(s)
• Impact assessment (what could an attacker do?)

Please do not open a public GitHub issue, post on social media, or DM us asking for a bounty before sharing details. We will not engage with reports that demand payment before disclosure.

What to expect

• Acknowledgement within 7 days.
• Triage and validation within 14 days.
• Fix within 30 days for critical and 60 days for moderate severity. Some classes of issue may take longer; we'll tell you the timeline.
• Public credit on the security hall of fame (coming soon) for valid first reports of unpatched issues.

Bounty program

We don't currently run a paid bug bounty. We deeply appreciate responsible disclosure and will publicly credit researchers who report valid issues. We may add a paid program as the user base grows.

Out of scope

• Findings from automated scanners without a working proof-of-concept.
• Reports that boil down to “the site is missing a security header.” We cover the important ones; if you find a genuine missing protection, the impact section of your report is what matters.
• Social engineering of Helm staff or users.
• Physical attacks on infrastructure (we run on Vercel and Supabase — their infra is theirs).
• Denial-of-service via volumetric load.
• Self-XSS or attacks that require an attacker to already control the victim's browser.
• Issues requiring outdated browsers (anything older than the latest two stable releases of Chrome, Firefox, Safari, Edge).

Safe harbor

We will not pursue legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
• Only access the minimum data necessary to demonstrate the issue.
• Don't exfiltrate, retain, or share data found while testing.
• Give us reasonable time to remediate before any public disclosure.

Last updated: 2026-05-08. We'll bump this date whenever the policy materially changes.