The Starr Conspiracy

Vulnerability Disclosure Program

The Starr Conspiracy (“TSC”) welcomes good-faith security research and responsible disclosure of vulnerabilities affecting our production application surfaces. We operate this Vulnerability Disclosure Program (“VDP”) to make that engagement clear, predictable, and safe for both researchers and TSC.

TSC does not currently operate a paid bug bounty program. Researchers are not compensated monetarily for valid disclosures, but we will publicly acknowledge contributions when the researcher consents and the disclosure is material.

Reporting a vulnerability

Email security@thestarrconspiracy.com with the following information:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step reproduction instructions.
  • The affected endpoint(s), component(s), or product surface(s).
  • Your contact information for follow-up (email is fine; PGP optional — fingerprint available on request).
  • Whether you would like public acknowledgment, and how you would like to be credited (your name, handle, or anonymous).

Service Level Agreements

TSC commits to the following SLAs for valid disclosures received via the channels above:

  • Acknowledgment: within 2 business days of receipt.
  • Triage and severity classification: within 5 business days.
  • Remediation, by severity:
    • Critical: 30 days
    • High: 60 days
    • Medium: 90 days
    • Low: best-effort, communicated case-by-case

Business days are TSC’s observed business days in the US Eastern time zone, excluding US federal holidays.

Scope

In scope

  • TSC’s production application surfaces and API endpoints.
  • Authentication and authorization flows (Clerk-managed identity).
  • Tenant isolation and access control.
  • AI integration boundaries — prompt injection, output validation, agentic workflow authorization.
  • Public TSC web properties (this trust portal and the corporate site).

Out of scope

  • Third-party services TSC uses as sub-processors (Vercel, Railway, MongoDB Atlas, Clerk, Sentry, OpenAI, Anthropic, GitHub). Please report issues affecting these to the relevant provider directly. If you believe a finding affects TSC’s configuration of a sub-processor, that is in scope.
  • Social engineering of TSC personnel, customers, or partners (including phishing of TSC employees or impersonation of TSC).
  • Denial-of-service (DoS / DDoS) attacks, volumetric load testing, or any testing intended to degrade availability.
  • Physical attacks, lock-picking, or attacks against TSC personnel, offices, or vendors.
  • Findings that require physical access to a researcher’s own device or that depend on a privileged local position with no remote attack path.
  • Theoretical issues without a demonstrated security impact (e.g., missing best-practice headers without a working exploit, version-number disclosure without a CVE chain).
  • Automated scanner output without manual validation. We welcome scanner-augmented research but require a written validation of the finding before submission.

Safe harbor

TSC will not pursue legal action against good-faith security researchers operating within the scope and rules of this program. To qualify for safe harbor:

  • Test only against your own accounts or accounts for which you have explicit written permission to test.
  • Do not access, modify, retain, or destroy data belonging to TSC or any TSC customer beyond the minimum necessary to demonstrate the vulnerability.
  • Do not exfiltrate data, even for proof-of-concept purposes. If you encounter sensitive data during testing, stop, document the incident, and report it to us immediately.
  • Do not pivot from a finding into TSC’s internal infrastructure, customer tenants, or sub-processor environments.
  • Comply with the in-scope and out-of-scope rules above.
  • Give us a reasonable opportunity to remediate before public disclosure. We will work with you on coordinated disclosure timing; default expectation is 90 days for non-critical findings, faster for actively exploited vulnerabilities.
  • Do not violate applicable law or the rights of any third party (including TSC’s customers).

Public acknowledgment

With your consent, TSC will publicly acknowledge valid disclosures. Acknowledgments are published in our security advisories when a finding warrants public notice (production-affecting, customer-impacting, or a coordinated public CVE). Researcher names appear by consent only; if you prefer to remain anonymous, we will honor that.

Out of scope: monetary rewards

TSC does not currently offer monetary rewards for valid disclosures. A formal paid bug bounty program is under evaluation as part of TSC’s post-SOC 2 maturity roadmap. Researcher participation in this VDP is voluntary and not compensated; valid disclosures are recognized through public acknowledgment when the researcher consents.

Contact