Security Policy & Vulnerability Disclosure

Last Updated: December 2, 2025

1. Introduction

At Rapid Risk Review ("RRR," "we," "our," "us"), security is fundamental to our mission of helping organizations assess vendor risk. We value the work of security researchers who help us maintain the highest security standards.

This policy outlines how to report security vulnerabilities responsibly, what you can expect from us, and the safe harbor protections we provide to good-faith researchers.

2. How to Report a Vulnerability

If you believe you have discovered a security vulnerability in our systems, please report it to us immediately through one of these channels:

• Primary Contact: Email: security@rrr.dev
• Alternative Contact: Contact Form (Security Subject)
• Security.txt: https://rrr.dev/.well-known/security.txt

3. What to Include in Your Report

To help us understand and address the vulnerability quickly, please include:

• Description: A clear, detailed description of the vulnerability
• Steps to Reproduce: Step-by-step instructions to replicate the issue
• Impact Assessment: Your assessment of the potential security impact
• Affected Components: URLs, endpoints, or system components involved
• Proof of Concept: Screenshots, code snippets, or other evidence (if applicable)
• Recommendations: Any suggested remediation steps (optional)
• Your Contact Information: How we can reach you for follow-up

Please write your report in English. We accept reports in plain text or PDF format.

4. Response Timeline

We are committed to responding promptly to all security reports:

• 48h – Initial Acknowledgment: We will confirm receipt of your report within 48 business hours
• 5d – Triage & Assessment: We will assess the vulnerability and determine severity within 5 business days
• 7d – Status Updates: We will provide status updates at least every 7 days until resolution
• 90d – Resolution Target: Critical and high severity issues: 90 days or less for full remediation

Response times may vary based on the complexity and severity of the reported vulnerability.

5. Safe Harbor

Our Commitment: We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, in accordance with this policy.

If you conduct security research in accordance with this policy, we consider your research to be:

• Authorized under the Computer Fraud and Abuse Act (CFAA) and similar state laws
• Authorized under the Digital Millennium Copyright Act (DMCA)
• Exempt from restrictions in our Terms of Service that would otherwise prohibit testing
• Lawful, helpful to the overall security of the Internet, and conducted in good faith

We will work with you to understand and resolve the issue quickly. If legal action is initiated by a third party, we will take steps to make it known that your actions were conducted in compliance with this policy.

This safe harbor applies only to research conducted in accordance with all requirements of this policy.

6. Scope

In Scope:

• rrr.dev web application and all subdomains
• API endpoints and backend services
• Authentication and authorization systems
• Edge functions and serverless infrastructure
• Data storage and processing systems

Out of Scope:

• Third-party services we use (Supabase, Stripe, OpenAI, etc.). Please report to those vendors directly
• Social engineering attacks against our employees or users
• Denial of Service (DoS/DDoS) attacks
• Physical security of offices or data centers
• Spam or phishing tests
• Automated scanning without explicit permission
• Testing on accounts you do not own (unless with explicit permission)

7. Responsible Disclosure Guidelines

To qualify for safe harbor protection, please follow these guidelines:

• Do NOT access, modify, or delete data belonging to other users
• Do NOT disrupt or degrade the availability of our services
• Do NOT publicly disclose the vulnerability until we have had reasonable time to address it
• Do NOT exploit the vulnerability beyond what is necessary to demonstrate the issue
• Do NOT use automated tools that generate excessive traffic
• DO stop testing immediately if you access sensitive data
• DO delete any retrieved data after reporting the vulnerability
• DO provide us reasonable time to respond before any disclosure (typically 90 days)

8. Coordinated Disclosure

We support coordinated disclosure. Our standard disclosure timeline is:

• 90 days from your initial report for us to develop and deploy a fix
• We will coordinate with you on public disclosure timing
• If we are unable to resolve the issue within 90 days, we will discuss an appropriate extension
• We may request early disclosure if we determine the vulnerability poses an immediate threat

We believe in transparency and will acknowledge your contribution in any public disclosure (unless you prefer to remain anonymous).

9. Recognition

We appreciate the security research community and want to recognize your contributions:

• Researchers who report valid vulnerabilities may be acknowledged in our security hall of fame (with permission)
• We will provide written confirmation of your report and its resolution upon request
• Significant contributions may be highlighted in our security communications

Note: We do not currently operate a paid bug bounty program. However, we deeply appreciate responsible disclosure and may offer tokens of appreciation for significant findings at our discretion.

10. Contact Information

Security Team
Rapid Risk Review
Email: security@rrr.dev
Security.txt: https://rrr.dev/.well-known/security.txt

For general inquiries not related to security vulnerabilities, please contact: contact@rrr.dev

This Security Policy is maintained in accordance with industry best practices and RFC 9116 (security.txt). For other legal information, please see our Terms of Service, Privacy Policy, and AI Disclosure Addendum.