Email security@instanode.dev with the details: reproduction steps, scope, suspected impact.

SLA: 72-hour initial acknowledgement. 30 days for P0/P1 fix. 90-day coordinated disclosure window.

No paid bug bounty currently — service credits for confirmed P0/P1 disclosures.

• This repository's source
• https://api.instanode.dev
• https://instanode.dev

• Third-party integrations (Razorpay, Brevo, DigitalOcean, etc.) — report directly to those vendors

Good-faith security research that does not compromise customer data, does not disrupt service, and follows coordinated disclosure is safe from legal action under this policy.