2050planet

Security Policy

Found something? Tell us. We respond fast and we won't sue you for helping.

Last updated: 29 April 2026

1. Reporting a vulnerability

Email security@2050planet.com with as much detail as you can. Useful information includes:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce (URL, request payload, expected vs actual behaviour)
  • Whether you've disclosed this to anyone else
  • How you'd like to be credited (or whether you prefer to remain anonymous)

You don't need to be a professional security researcher. Curious users who find something odd are welcome.

2. What we'll do

  • Within 3 business days: we acknowledge receipt of your report
  • Within 10 business days: we triage and tell you whether we've confirmed the issue, what severity we've assigned, and what our fix timeline looks like
  • For critical issues: we patch within 7 days; for high severity within 30 days; for medium within 90 days
  • After the fix: we credit you (with your permission) in our disclosures and on this page

3. Safe harbour

We will not pursue legal action, and will work to protect you from third-party legal action, against researchers who:

  • Make a good-faith effort to comply with this policy
  • Report vulnerabilities promptly via the channel above
  • Do not exploit the vulnerability beyond what's necessary to confirm it exists
  • Do not access, modify, or delete other users' data
  • Do not disrupt service for other users
  • Give us reasonable time to fix the issue before public disclosure

4. Scope

The following are in scope:

  • 2050planet.com and its subdomains
  • The TERRA API at /api/terra and any other endpoints under /api/
  • The Supabase Auth integration on this domain
  • Authentication, session handling, and account management flows
  • Database access controls (Row Level Security) on data accessible from this domain

The following are out of scope:

  • Third-party services we use (Supabase, Vercel, Anthropic, Google, Upstash) — please report directly to them
  • Vulnerabilities requiring physical access to a user's device
  • Social engineering of 2050planet staff or contributors
  • Denial-of-service attacks, traffic flooding, or anything that degrades service for other users
  • Spam or content-injection issues that don't cross a security boundary (we don't accept user-generated content yet)
  • Self-XSS that requires the victim to paste attacker-supplied code into their own console
  • Missing security headers without a demonstrated impact (we know about most of these — point us at impact, not headers in isolation)
  • Reports based solely on automated scanner output without manual verification
  • Outdated browser warnings (we follow modern browser support; users on EOL browsers should upgrade)
  • Issues already disclosed to us within the last 90 days

5. Rules of engagement

While testing, you must not:

  • Access, copy, or store any user data other than your own
  • Modify or delete data belonging to others
  • Run brute-force, credential-stuffing, or password-spraying attacks
  • Run automated scanners that generate significant traffic volume
  • Use TERRA to extract its system prompt and publish it (this is interesting research; we'd prefer you tell us privately so we can strengthen our defences)
  • Phish, spam, or attempt to compromise 2050planet team members or other users
  • Disclose the vulnerability publicly before we've had a chance to fix it (90 days from initial report is a reasonable default)

6. Bug bounties

We don't currently run a paid bug bounty programme. We may introduce one as we grow. For now we offer:

  • Public credit on this page (with your permission)
  • A genuine, personal thank-you from the team
  • 2050planet swag for high-impact reports, when we have any to give

We recognise this isn't cash. If you've found something serious and money matters to you, please tell us anyway — we'd rather know and find a way to make it worth your while than have you sit on a real issue.

7. PGP / encrypted reports

For sensitive reports you can request a PGP key by emailing security@2050planet.com with the subject “PGP key request”. We'll respond with our current public key.

8. Hall of thanks

Researchers who've helped us improve 2050planet (most recent first):

(This list will populate as reports come in. If you've sent a valid report and don't see your name here within 30 days of fix deployment, email us.)

9. security.txt

For automated discovery, we publish a security.txt file at /.well-known/security.txt following the securitytxt.org standard.

10. Contact

Security reports only: security@2050planet.com

For privacy questions, see the Privacy Policy. For everything else, hello@2050planet.com.