Email security@instanode.dev with details (steps, scope, impact). SLA: 72h initial acknowledgement, 30 days for P0/P1 fix, 90-day coordinated disclosure. No paid bounty currently — service credits for verified P0/P1 reports.

In scope: this repository's source, https://api.instanode.dev, https://instanode.dev. Out of scope: third-party integrations (Razorpay, Brevo, DigitalOcean).

Good-faith research that doesn't compromise customer data, doesn't disrupt service, and follows coordinated disclosure is safe from legal action under this policy.