At Polar, we care deeply about the safety and security of our customers' data and our systems. We welcome security and vulnerability reports as part of our commitment to providing the most secure product possible.

If you've read this document and discovered an issue that you believe is in-scope, Please report it using GitHub Security Advisory tool. It should include:

• A clear summary of the issue and its potential impact.
• Detailed steps to reproduce the issue.
• Relevant environmental details (browser, OS, version numbers, etc.).
• Any proof-of-concept code that demonstrates the vulnerability, if available.

Our security team will review your report and keep you updated on our progress, requesting additional information or clarification when needed.

We believe that vulnerability reporting creates a safer, better product for our customers. As such, we might offer compensation for reports that lead to a confirmed vulnerability, at our discretion.

We'll get back to you within a few days to acknowledge your report.

• Authentication bypass and privilege escalation.
• Exposure of personally identifiable information (PII).
• Unauthenticated access to user data (outside of intentionally public data).

• https://polar.sh
• https://api.polar.sh

• Automated scanning.
• Social engineering.
• Denial of Service attacks.
• Attacks that need physical access to someone's computer.
• Theoretical attacks you can't actually exploit.
• Man-in-the-middle attacks.
• Clickjacking or UI redress attacks.
• CSV injection.
• HTML injection.
• Missing security headers, weak TLS cipher suites, or DNS setup issues. We might find these informative, but they probably won't earn a bounty.

• Only test with your own account (or get permission from the account owner first).
• Don't modify, delete, or store private data that isn't yours.
• Avoid anything that might break or slow down our services.
• If you get remote access to our systems, don't try to expand or elevate your access.