Security Policy

Last updated: 2026-05-16 — Version 1

We take security seriously. If you find a vulnerability, please tell us.

Scope

• The marketing site at bona.works
• The application at bona.works (or wherever it ends up)
• Public kit pages at bona.works/kit/
• Our API endpoints
• Our infrastructure (within reason — please don’t DDoS us to “test”)

What’s NOT in scope

• Third-party services (Stripe, PostHog, Fly.io) — report to them directly.
• Social engineering of our team.
• Physical attacks on our infrastructure.
• Disclosed vulnerabilities in dependencies (those are tracked elsewhere).

How to report

Email: security@bona.works.
PGP key: PGP key not yet published.

In the report, include:

• Description of the vulnerability.
• Steps to reproduce.
• Potential impact.
• Whether you’ve contacted anyone else.

What we’ll do

• Acknowledge your report within 48 hours.
• Investigate within 7 days.
• Fix valid issues within timelines based on severity:
  • Critical: 7 days
  • High: 30 days
  • Medium: 90 days
  • Low: when reasonable
• Credit you (with permission) in our security disclosures unless you prefer anonymity.

Bug bounty

We can’t pay cash bounties at our scale (yet). For valid critical and high reports, we’ll send merch / a year of Pro tier on us / a thank-you on a public security page. As we grow, we’ll formalize a cash bounty program.

What we won’t do

• Sue you for finding a vulnerability we didn’t know about.
• Threaten or harass researchers.
• Hide vulnerabilities to avoid reputational damage.

If we mess up, please tell us — privately first, publicly if we don’t respond.

← Back to bona