Sign inOpen Palimpsa

Security

Responsible disclosure.

If you've found a security issue in Palimpsa or anywhere on our infrastructure, please tell us. We will not pursue legal action against good-faith research.

Contact

Email security@beyond-the-box.uk. We acknowledge within two working days. The same address covers all BeyondTheBox products.

For machine-readable contact info, see /.well-known/security.txt (RFC 9116).

What helps

  • A clear description of the issue and how to reproduce it.
  • The affected surface (URL, endpoint, route, or version).
  • Your suggested severity and any redacted proof-of-concept.
  • Your name as you'd like to be credited (or "anonymous").

What we ask

  • Don't access data that isn't yours.
  • Don't run automated scans against production.
  • Give us reasonable time to fix before public disclosure.
  • Don't extort us; we will say no, in public.

Scope

Anything reachable at palimpsa.com or its subdomains. The Yjs WebRTC signaling we use today is operated by third parties (signaling.yjs.dev and a public Heroku relay) — issues there are not in scope, but please tell us so we can switch providers if needed.

Hall of fame

When researchers help, we credit them here with permission. Empty for now — be the first.