Bakerkit

Responsible Disclosure Policy

Effective date: May 13, 2026.

1. Introduction

Bakerkit takes security seriously. If you discover a security vulnerability in the Bakerkit platform, we ask you to disclose it responsibly by following this policy. Your efforts to report vulnerabilities help us keep Bakerkit safe for all users.

2. Scope

This policy applies to security vulnerabilities in the Bakerkit platform, including app.bakerkit.app, www.bakerkit.app, and any*.bakerkit.app subdomains. Security testing must be performed only on accounts you own or have explicit written permission to test. Do not test on accounts belonging to other users.

3. Prohibited Activities

The following activities are strictly prohibited when researching Bakerkit:

  1. Denial-of-service (DoS) or distributed DoS attacks.
  2. Sending spam or unsolicited messages through the platform.
  3. Any action that degrades platform performance or availability for other users.
  4. Accessing, modifying, or deleting data belonging to other users.
  5. Testing third-party integrations (Stripe, Supabase, Resend, Vercel) — report those directly to the relevant vendor.
  6. Social engineering or phishing attacks targeting Bakerkit staff or users.

4. How to Report

Please use our contact page to submit your report. Include the following information:

  1. A description of the vulnerability and its potential impact.
  2. Step-by-step reproduction instructions.
  3. Any supporting evidence (screenshots, HTTP traces, proof-of-concept code).
  4. Your contact information (optional — anonymous reports are accepted, but we cannot provide follow-up without contact details).

5. Our Commitments

When you report in accordance with this policy, Bakerkit will:

  1. Acknowledge receipt of your report within 5 business days.
  2. Provide an estimated timeline for investigation and resolution.
  3. Notify you when the vulnerability has been fixed.
  4. Credit you in our acknowledgements (with your permission) if the report leads to a confirmed fix.

6. Compensation

Bakerkit does not currently offer monetary compensation or a bug bounty program. We appreciate responsible disclosure and will acknowledge your contribution publicly (with your permission).

7. Legal Safe Harbour

Bakerkit will not pursue legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy. Testing must be limited to your own accounts and must not disrupt service for others. We reserve the right to pursue legal action against anyone who engages in prohibited activities or acts in bad faith.

8. Governing Law

This policy is governed by the laws of the Province of Alberta and the federal laws of Canada applicable therein.