Security & Vulnerability Disclosure

Last reviewed: May 28, 2026

Reporting a vulnerability

If you believe you've found a security vulnerability in RealWorkFromHomeJobs.com, please email [email protected] before disclosing it anywhere public. We read every report and respond personally.

Include in your report:

  • A clear description of the vulnerability
  • Steps to reproduce, ideally with a minimal proof of concept
  • The affected URL, endpoint, or feature
  • What an attacker could do with it (impact)
  • Your name or handle if you'd like credit

Our commitments

When you report a vulnerability in good faith, we will:

  • Acknowledge receipt within 2 business days. A human will reply, not a form letter.
  • Triage and provide an initial assessment within 7 days, including severity and a rough timeline for the fix.
  • Keep you updated as the fix progresses, and let you know when it ships to production.
  • Credit you in the hall of fame below (if you want — anonymous reports are equally welcome).
  • Not take legal action against good-faith researchers who follow this policy. See safe harbour below.

Scope

The following are in scope:

  • realworkfromhomejobs.com and any sub-paths
  • The HTTP API at /api/*
  • Authentication, session handling, password reset, OAuth flows
  • Job-post submission and moderation flows
  • Payment and webhook handling (note: card processing itself is handled by Lemon Squeezy and is out of scope here)

Out of scope:

  • Denial-of-service or volumetric attacks. Do not attempt these.
  • Social-engineering attacks against staff or other users
  • Physical attacks against our infrastructure or office spaces
  • Reports based purely on automated scanner output without evidence of an exploitable issue
  • Missing security headers, cookie attributes, or DNS records that don't lead to an exploitable vulnerability (we'll still read these but they aren't eligible for credit)
  • Issues in third-party services we use (Lemon Squeezy, Neon, Cloudflare, Maileroo, etc.) — please report those directly to the affected vendor

Safe harbour

We will not pursue or support legal action against researchers who:

  • Make a good-faith effort to follow this policy
  • Avoid privacy violations, destruction of data, and disruption of service to other users
  • Don't exfiltrate any data beyond the minimum needed to demonstrate the vulnerability
  • Don't publicly disclose the issue until we've had a reasonable chance to fix it (typically 90 days, sooner for low-severity issues, by agreement for complex ones)

If your research is conducted within these terms, we consider it authorised activity and will work with you to resolve the issue quickly.

What we don't do

We don't pay bug bounties at this time. We're an independently operated job board, not a venture-funded company with a security budget. We give credit, we respond fast, and we fix issues — but we can't offer monetary rewards. If that changes, we'll announce it here.

Hall of fame

Researchers who've responsibly disclosed issues to us will be listed here, in chronological order, with their permission.

Be the first — we look forward to thanking you.

Encrypting your report

If your report contains sensitive details, you're welcome to email a PGP-encrypted message and we'll respond in kind. Ask first at [email protected] and we'll share our public key.

Other contact

For non-security questions (billing, account, content moderation), please use [email protected]. Routing non-security mail through the security alias slows down real vulnerability reports.