Email security@instanode.dev with the details: reproduction steps, scope, suspected impact.
SLA: 72-hour initial acknowledgement. 30 days for P0/P1 fix. 90-day coordinated disclosure window.
No paid bug bounty currently — service credits for confirmed P0/P1 disclosures.
- This repository's source
- https://api.instanode.dev
- https://instanode.dev
- Third-party integrations (Razorpay, Brevo, DigitalOcean, etc.) — report directly to those vendors
Good-faith security research that does not compromise customer data, does not disrupt service, and follows coordinated disclosure is safe from legal action under this policy.