Security Policy
Last updated: 2026-05-13
We take security seriously. This policy spells out how to report a vulnerability, what we promise back, and what's in scope. The canonical metadata for security researchers also lives at /.well-known/security.txt (RFC 9116).
1. How to report
Email security@elido.app — PGP key on request — or open a private report at https://hackerone.com/elido. Both routes reach the same on-call queue. Please include reproduction steps, affected URL/endpoint, and the impact you observed. Don't post details publicly until we've coordinated a fix.
2. Response SLA
First response: within 24 hours. Triaged with a severity rating: within 5 working days. Resolution target: 14 days for High/Critical, 30 days for Medium/Low. If a fix needs longer (e.g. third-party dependency wait), we'll keep you updated weekly.
3. In scope
elido.app (marketing), app.elido.app (dashboard), api.elido.app (REST + GraphQL), elido.me / f.elido.me / s.elido.me / b.elido.me (redirect tiers), docs.elido.app, the Elido iOS and Android apps, the elidoapp/elido-* npm packages, and the Elido MCP server (packages/mcp-server).
4. Out of scope
Third-party services we use (Ory Kratos, Ory Hydra, Crisp, Cloudflare, Anthropic, Stripe, WorkOS, Twilio) — please report directly to them. Brute-forcing rate-limited endpoints (we test those ourselves). Social engineering Elido staff. Volumetric / DoS attacks. Findings that depend on the victim installing malicious software outside Elido. Open redirect via the short link itself — that's the service.
5. Safe harbour
If you make a good-faith effort to comply with this policy, we will not pursue legal action and will work with you to understand and resolve the issue. Specifically: testing against accounts you own, not exfiltrating production data, not impacting other customers, and not publicly disclosing before we've shipped a fix.
6. Rewards
Elido runs a paid bug bounty on HackerOne. Indicative rewards (USD): Critical $3000, High $1500, Medium $500, Low $200, Trivial $50 swag-equivalent. Final amount depends on impact, novelty, and quality of the report. We also list non-paid valid disclosures on /legal/security-acknowledgments with your consent.
7. Acknowledgments
We publicly credit researchers who help us at /legal/security-acknowledgments — handle or real name at your choice, and only after the issue is fixed.