Security

Email marc@officecaresystems.com with a description of the issue, the steps to reproduce, and any proof-of-concept code or screenshots that help us understand the impact. We'll acknowledge within five working days and keep you posted as we investigate.

Please don't publicly disclose the issue until we've had a reasonable chance to fix it.

• bridgedeck.app and any subdomain
• The Bridgedeck Study iOS and Android applications
• The Bridgedeck Logbook iOS and Android applications
• Our Supabase backends and edge functions that serve those apps

• Reports from automated scanners without a working proof-of-concept
• Social engineering or phishing of staff or users
• Denial-of-service or volumetric attacks
• Missing security headers on static pages where no sensitive data is handled
• Vulnerabilities in third-party dependencies that have not yet released a fix

If you make a good-faith effort to comply with this policy during your research, we will consider it authorised, we won't pursue or support legal action against you, and we'll work with you to understand and resolve the issue quickly. Act in good faith: only test against your own accounts and data, don't access or modify other users' data, and don't degrade the service for others.

Bridgedeck is a small operation. We don't currently offer a cash bounty, but we'll credit you publicly on this page if you report a valid issue and want the recognition.

Our machine-readable contact information is at /.well-known/security.txt.