FatesForge

Security Policy

We take the security of FatesForge Tracker and fatesforge.app seriously. If you have found a vulnerability, we'd like to hear from you so we can investigate and fix it as quickly as possible.

How to Report

Send a detailed report to the email below. Please include:

• A clear description of the issue
• Steps to reproduce, ideally with a proof-of-concept
• The potential impact on users or infrastructure
• Any suggested remediation if you have one

Our Commitment

We will acknowledge your report within 48 hours and aim to provide a more detailed response, including our assessment and an estimated timeline for a fix, within 7 days. We will keep you updated on our progress and let you know once the issue is resolved.

We kindly ask that you give us reasonable time to address the issue before any public disclosure. We are a small, independent team and appreciate your patience.

Scope

In scope:

• The fatesforge.app website and all subdomains
• FatesForge Tracker desktop application
• Our Cloudflare Workers backend (fatesforge-pay.fatesforge.workers.dev)
• Any service owned and operated by FatesForge

Out of scope:

• Automated vulnerability scanner output without a demonstrated impact
• Denial-of-service attacks, volumetric or otherwise
• Social engineering of our users or team members
• Attacks requiring physical access to a user's device
• Issues in third-party services (Cloudflare, Stripe, Resend, GitHub) — please report those upstream
• Self-XSS and issues that require significant user interaction to exploit

Recognition

We don't currently offer a monetary bug bounty, but we'd be glad to credit you publicly if you'd like. Just let us know in your report whether you want to be acknowledged and how you'd like to be named.

Safe Harbor

We consider security research conducted under this policy to be authorized. We won't pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and give us a reasonable window to respond before disclosure.