Security Policy

Last updated: May 5, 2026

Morning Pulse takes the security of our platform and our customers' data seriously. This policy describes how to report vulnerabilities, what you can expect from us, and what we consider in and out of scope.

1

Reporting a Vulnerability

Email us at security@morningpulse.app.

Encrypted email is not required but is welcomed for sensitive reports. You can encrypt your message using our PGP public key.

Please include:

  • A clear description of the vulnerability.
  • Step-by-step reproduction instructions.
  • The affected URL or endpoint.
  • Your assessment of the impact.

If you encounter third-party customer data during your research, describe where it was accessible — do not copy, store, or transmit it.

2

Our Commitments

When you report a vulnerability in good faith and follow this policy, we commit to:

  1. Acknowledging receipt within 2 business days.
  2. Providing a first substantive triage response within 5 business days.
  3. Sending status updates at least every 14 days until the issue is resolved.
  4. Not pursuing legal action against you. We consider good-faith security research conducted under this policy to be authorized. We will not bring civil or criminal claims against researchers who follow the guidelines here.
  5. Crediting you publicly (on request) once the issue is fixed. We will include your name or handle in the resolution communications unless you prefer to remain anonymous.
3

Scope — In Scope

The following assets are in scope:

  • *.morningpulse.app — including the production app (check.morningpulse.app), marketing site (morningpulse.app), and mail subdomain (my.morningpulse.app).

Vulnerability classes we are interested in include (but are not limited to):

  • Authentication and authorization bypasses
  • Insecure direct object references (IDOR)
  • Server-side request forgery (SSRF)
  • Remote code execution (RCE)
  • SQL injection (SQLi)
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Sensitive data exposure
  • Supply-chain compromise
4

Scope — Out of Scope

The following do not qualify under this policy:

  • Findings from automated scanners submitted without a working proof of concept.
  • Reports of "missing" security headers without demonstrated exploitable impact.
  • Rate limiting or brute-force on login (already throttled — report only with a working bypass).
  • Self-XSS, clickjacking on pages without sensitive actions, or CSRF on logout/non-state-changing endpoints.
  • Social engineering of staff or customers.
  • Physical attacks, denial-of-service, or volumetric testing.
  • Findings on third-party services (Stripe, Shopify, Google) — report those directly to the vendor.
  • Email spoofing without exploitation (we publish SPF/DKIM/DMARC; report only with a working bypass).
5

What Is NOT Permitted

These actions are not authorized under any circumstances:

  • Accessing, modifying, or exfiltrating data that is not yours.
  • Disrupting service availability for other users.
  • Using social engineering or phishing against our team or customers.
  • Publicly disclosing a vulnerability before we have shipped a fix and agreed on disclosure timing.
6

Coordinated Disclosure

We aim to fix high-severity issues within 30 days. Some vulnerability classes (supply-chain, infrastructure) may require more time.

We will coordinate disclosure timing with the reporter and credit them publicly unless they prefer anonymity.

7

Bounty / Payment

We are a small independent team and do not currently run a paid bug bounty program.

What we can offer: public credit, our genuine thanks, and where possible, a free year of Morning Pulse.

8

Updates to This Policy

We may update this policy as our practices evolve. The Expires: field in our security.txt is the source of truth for when this policy is next reviewed.

9

PGP Public Key

Use this key to encrypt emails to security@morningpulse.app when reporting sensitive vulnerabilities.

User ID: Guillaume Marolleau <security@morningpulse.app>

Fingerprint: F58B 10EC 74A1 7F6A B30B 23A6 0979 3029 C85E BED4

Key ID: 0x09793029C85EBED4

Algorithm: Ed25519 (signing) + Curve25519 (encryption)

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEafmmfRYJKwYBBAHaRw8BAQdA6Vny/P7xg7/a3TEcrOT3rBiMm7SIFbZvHp5R
j4isbRu0L0d1aWxsYXVtZSBNYXJvbGxlYXUgPHNlY3VyaXR5QG1vcm5pbmdwdWxz
ZS5hcHA+iK8EExYKAFcWIQT1ixDsdKF/arMLI6YJeTApyF6+1AUCafmmfRsUgAAA
AAAEAA5tYW51MiwyLjUrMS4xMiwwLDMCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwEC
HgcCF4AACgkQCXkwKchevtT33QD/ZPFM+vTKi5TXLz5Gci/ChBbbiGOl4ziBhZDn
TeFRKgIA+gNgga9+k7mxjPG2tQQhZHiJY9HRPCbiUEi+b/gro5AJuDgEafmmfRIK
KwYBBAGXVQEFAQEHQHKgn0SbO/XQjUH23kFpCwhzoTQXfF79P63UaUOXcRd2AwEI
B4iUBBgWCgA8FiEE9YsQ7HShf2qzCyOmCXkwKchevtQFAmn5pn0bFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAhsMAAoJEAl5MCnIXr7UvQ8BALOyA1YJ3pbcIfhC
YyKc06DBQe+5Yki46XtLjJ57YhsRAQCAg6TvgVGvQ1QR2ALk+lm7uc+xgDcg8tK1
hPhpQPkAAQ==
=3vR0
-----END PGP PUBLIC KEY BLOCK-----

Always verify the fingerprint before encrypting sensitive reports.