Security disclosure

Last updated: 2026-05-08

We take security seriously. If you believe you have found a vulnerability in XDiscourse, please report it to security@xdiscourse.com.

Coordinated disclosure

We aim to acknowledge reports within 48 hours and to publish a fix or mitigation within 30 days for critical issues. We will credit reporters who request credit.

Scope

• xdiscourse.com and all subdomains.
• The Stripe checkout flow and webhook handler.
• Authentication endpoints (magic link, Google OAuth).

Out of scope

• Reports requiring root-level compromise of unrelated infrastructure.
• Pure social engineering of staff.
• Volumetric DoS without a working proof-of-concept.

Posture

• HTTPS-only with HSTS.
• Webhook signatures verified before parsing.
• All untrusted input parsed by Zod at the boundary.
• Sensitive data redacted from logs.
• Dependencies scanned weekly.

Contact

Zero Point Studio d.o.o.
Rudeška cesta 179, 10000 Zagreb, Croatia
Email: security@xdiscourse.com
See also /.well-known/security.txt.

Related policies

• Terms of Service
• Privacy Policy
• Refund Policy