Skip to content
The End Effector
Sign inJoin

Security

Vulnerability Disclosure Policy

Last updated: May 2026

The End Effector welcomes reports from security researchers who help us keep our members and the public safe. This page explains how to reach us, what is in scope, and the protections we extend to good-faith research.

Machine-readable contact information is also published at /.well-known/security.txt per RFC 9116.

Reporting a Vulnerability

Email security@endeff.com with a description of the issue, the affected URL or surface, the steps required to reproduce, and any impact you observed. Please include the timestamp of your testing (with timezone) so we can correlate your activity in our logs.

We aim to acknowledge new reports within 72 hours and to provide a substantive status update within seven days. Severity, complexity, and our own staffing constraints will affect remediation time, but we will keep you informed.

Scope

The following surfaces are in scope:

  • endeff.com — the main site, all content surfaces, and the membership flow
  • id.endeff.com — Effector ID credential issuance and verification
  • sig.endeff.com — Sigline email signature service
  • conduit.endeff.com — Conduit SMS intelligence platform
  • store.endeff.com— Cross & Check merch store
  • Other subdomains served from *.endeff.com that we operate directly

Out of Scope

The following are explicitly out of scope:

  • Third-party services we use — Clerk, Stripe, Sanity, Supabase, Vercel, Beehiiv, Resend, Inngest, Cloudflare, and others. Please report directly to the responsible vendor.
  • Denial of service — volumetric or resource-exhaustion attacks, and any test that risks degrading service for other members
  • Social engineering — phishing, vishing, or other attacks targeting our staff, members, or vendors
  • Physical attacks against staff or facilities
  • Spam and abuse of contact forms, comment systems, or newsletters
  • Missing security headers with no demonstrated impact, and other theoretical issues without a working proof of concept
  • Reports from automated scanners without a manual confirmation that the finding is exploitable
  • Self-XSS and other attacks that require the victim to paste code into their own browser console
  • Rate-limiting findings on endpoints that do not handle sensitive data, unless you can demonstrate concrete abuse

Safe Harbor

We will not pursue or support legal action against researchers who, in good faith:

  • Comply with this policy and the conditions of scope above
  • Avoid privacy violations, destruction of data, and interruption or degradation of our service
  • Only interact with accounts that you own, or with explicit written permission of the account holder
  • Report the issue to us promptly and give us reasonable time to remediate
  • Do not publicly disclose the issue before we have remediated it and agreed on a disclosure timeline

If legal action is initiated by a third party against you for activity that complied with this policy, we will make our authorization known.

Process

Reports follow this lifecycle:

  1. Triage — we acknowledge receipt within 72 hours and confirm whether we can reproduce the issue
  2. Fix — we develop, test, and deploy a remediation. Critical issues receive immediate attention; lower-severity issues are scheduled into our normal development cadence
  3. Disclosure — once the fix is live, we coordinate a public disclosure timeline with you. Our default is 90 days from the initial report, but we will accelerate or extend by mutual agreement
  4. Acknowledgment — with your consent, we add your name and a short description of the issue to our acknowledgments page

Acknowledgments

Credit is opt-in. Tell us in your report whether you want public attribution and how you want to be listed (name, handle, or anonymous). We do not currently run a paid bug-bounty program, but we appreciate the work and try to say so loudly.

Contact

Send reports to security@endeff.com. For non-security questions, see our privacy policy or email hello@endeff.com.