Effective May 8, 2026

Security Policy

If you've found a security vulnerability in Daily Leveling, we want to hear from you. We treat security reports as a top priority.

How to report

Email security@dailyleveling.app with:

• Description of the vulnerability
• Steps to reproduce
• Affected URLs / endpoints / app versions
• Impact assessment (what an attacker could do)
• Your name / handle (for credit, optional)

Please do not publicly disclose until we've had a reasonable opportunity to investigate and fix.

What's in scope

• The website and API at dolo-leveling-mobile.vercel.app (and any custom domain)
• The iOS and Android mobile apps
• Authentication, authorization, data exposure, injection, RCE, privilege escalation

What's out of scope

• DoS / DDoS attacks
• Social engineering of our staff or users
• Physical attacks against our offices or infrastructure
• Issues in third-party services we depend on (report to them directly)
• Self-XSS that requires the user to paste code into their console
• Missing security headers without a demonstrated impact
• Spam, brute force on user accounts (we have rate limits)

Our commitments

• We acknowledge reports within 5 business days.
• We provide a status update within 14 days.
• We do not pursue legal action against good-faith researchers who follow this policy.
• We credit researchers in our security acknowledgements (with consent).

Safe harbor

We consider research conducted in accordance with this policy to be authorized. If a third party initiates legal action against you for activity conducted in line with this policy, we will make it known that your actions were authorized.

Encryption

For sensitive disclosures, request our PGP key by emailing the security address.