# Responsible Disclosure & Security Policy

X Factor Peptides takes the security of our customers, our systems, and the integrity of our supply chain seriously. This document describes how to report a vulnerability and what to expect from us in return.

## Scope

In scope:

- `xfactorpeptidelab.com` and `www.xfactorpeptidelab.com`
- The Supabase backend at `*.supabase.co` operated by X Factor Peptides
- The admin dashboard at `/admin`
- The customer account flow at `/account`, `/cart`, `/order-confirm`, `/order-tracking`
- The COA library at `/coa`
- All edge functions under `*.functions.supabase.co` operated by X Factor Peptides

Out of scope:

- Denial-of-service or volumetric attacks
- Social engineering of staff or customers
- Physical attacks against our warehouse or fulfilment partners
- Vulnerabilities in third-party services (Cloudflare, Supabase, Coinbase Commerce, Klaviyo, Namecheap) — report those upstream
- Reports requiring full physical or remote access to a user's already-compromised device

## How to report

Email: **security@xfactorpeptidelab.com**

Include:

1. A clear description of the issue
2. Steps to reproduce
3. Impact assessment from your point of view
4. Any proof-of-concept code or screenshots (please redact PII)
5. Your name or handle for credit (optional)

We accept reports in English. PGP key: published at `/.well-known/pgp.txt` (rotating annually).

## What to expect

- **Acknowledgement within 72 hours** of receipt.
- **Triage within 7 days** with a severity rating and expected fix window.
- **Status updates** at least every 14 days while a report is open.
- **Public credit** in our security hall-of-fame at `/security/hall-of-fame` once a fix ships, if you opt in.
- We do not currently run a paid bug bounty. We do provide swag and credit for valid reports.

## Severity tiers

| Tier | Examples | Target fix |
| --- | --- | --- |
| Critical | RCE, auth bypass on admin, payment manipulation, mass PII exposure | 72 hours |
| High | Stored XSS in admin, IDOR exposing other customers' orders, RLS bypass | 14 days |
| Medium | Reflected XSS, open redirect, missing CSRF on non-state-changing endpoint | 30 days |
| Low | Information disclosure, missing security header, weak CSP rule | 90 days or batched |

## Safe-harbor

We will not pursue legal action against researchers who:

- Make a good-faith effort to follow this policy
- Avoid privacy violations, data destruction, and service degradation
- Do not exfiltrate more data than is necessary to demonstrate impact
- Give us reasonable time to remediate before public disclosure (90 days default)

This safe-harbor extends only to actions covered by this policy and does not waive any rights of third parties.

## Out-of-band

If you cannot reach us by email, use the form at `https://www.xfactorpeptidelab.com/contact` and mark it `[SECURITY]`. As a last resort: `trainyouragent@gmail.com`.

Last updated: 2026-06-03.