Security Policy
Last updated: 2026-05-17 — Version 2
We take security seriously. If you find a vulnerability, please tell us.
Scope
- The marketing site at bona.works
- The application at bona.works
- Public kit pages at bona.works/kit/
- Our API endpoints
- Our infrastructure (within reason — please don’t DDoS us to “test”)
What’s NOT in scope
- Third-party services (Stripe, PostHog, Fly.io) — report to them directly.
- Social engineering of our team.
- Physical attacks on our infrastructure.
- Disclosed vulnerabilities in dependencies (those are tracked elsewhere).
How to report
Email: security@bona.works. PGP key: PGP key not yet published.
In the report, include:
- Description of the vulnerability.
- Steps to reproduce.
- Potential impact.
- Whether you’ve contacted anyone else.
What we’ll do
- Acknowledge and investigate your report within 7 days.
- Fix valid issues within timelines based on severity: Critical 7 days; High 30 days; Medium 90 days; Low when reasonable.
- Credit you (with permission) in our security disclosures unless you prefer anonymity.
Bug bounty
We can’t pay cash bounties at our scale (yet). For valid critical and high reports, we’ll send merch / a year of Pro tier on us / a thank-you on a public security page. As we grow, we’ll formalize a cash bounty program.
What we won’t do
- Sue you for finding a vulnerability we didn’t know about.
- Threaten or harass researchers.
- Hide vulnerabilities to avoid reputational damage.
If we mess up, please tell us — privately first, publicly if we don’t respond.