Vulnerability disclosure policy
Effective Date: June 13, 2026
We welcome reports from independent security researchers. This page describes how to report a vulnerability in Self Employment Toolkit, what we do when we receive one, and what you can expect in return.
1. Scope
In scope:
- The Self Employment Toolkit web application at selfemploymenttoolkit.com.
- The Worker API at mileage-tracker-api.woodfiredigital.workers.dev (the same code as the web app, behind the apex domain).
- Public sub-pages: /, /mileage-tracker, /time-tracker, /expense-tracker, /invoice-generator, /tax-export, /integrations, /privacy, /terms, /refunds.
- The /mcp Model Context Protocol endpoint, OAuth flow, and API key issuance.
Out of scope:
- Findings that require a victim with a compromised device, browser, or email account.
- Social engineering of Woodfire Digital staff or customers.
- Denial of service. We rate-limit publicly; please do not test by saturating shared resources.
- Reports about software versions or library versions (e.g. "you are using X version Y which has CVE-Z") without a working proof of concept against our deployment.
- Findings on third-party services we depend on (Cloudflare, Paddle, Brevo, Anthropic, OpenStreetMap, OSRM, Google Analytics, Google Fonts). Report those to their respective vendors.
2. How to report
Email support@selfemploymenttoolkit.com with subject line starting with "[security]". Include:
- A clear description of the vulnerability and the impact.
- Steps to reproduce (a working proof of concept significantly accelerates triage).
- The affected URL or endpoint.
- Your contact info and any public name or handle you would like credited (or "anonymous" if you prefer no public credit).
If the report contains data that would risk other users (e.g. proof of cross-tenant data exposure), please redact the affected account identifiers and include only your own test accounts where possible.
3. What we do
- We acknowledge receipt within two business days.
- We confirm or dispute the vulnerability within seven business days.
- We aim to remediate confirmed vulnerabilities on this schedule, depending on severity: critical within 7 days; high within 30 days; medium within 90 days; low at our discretion.
- We will keep you informed of progress and let you know when the fix ships.
- With your permission, we credit you on the changelog entry for the fix.
4. No bug bounty
We do not currently offer a paid bug bounty. Self Employment Toolkit is operated by Woodfire Digital, LLC, a small independent company. We are grateful for responsibly disclosed reports and we credit researchers on the changelog (with permission), but we are not in a position to pay bounties at this time. If you are looking for a paid program, please redirect your effort to a vendor that runs one. We will not be offended.
5. Safe harbor
If you make a good-faith effort to comply with this policy when researching and reporting a vulnerability, we will:
- Not pursue or support any legal action against you for the research.
- Not report you to law enforcement for the research.
- Work with you in good faith to understand and resolve the issue.
For these protections to apply, you must:
- Stop testing immediately if you encounter another user's data and report only what is necessary to demonstrate the issue.
- Not violate the privacy of any user. Do not download, alter, or destroy user data.
- Use only test accounts you create. Do not access, modify, or impersonate other users.
- Not publicly disclose the vulnerability until we have shipped a fix or 90 days have passed since acknowledgment, whichever comes first.
- Comply with all applicable laws.
6. Public disclosure
We follow a coordinated disclosure model. After a fix is shipped, you are welcome to publish a write-up. If you would like us to coordinate a public announcement, we are happy to align timing.
7. Contact
Email: support@selfemploymenttoolkit.com (subject: [security])
Postal mail: Woodfire Digital, LLC, PO Box 20, Lithopolis, Ohio 43136, United States
Machine-readable contact: /.well-known/security.txt (RFC 9116)