Security policy

Shop Madeira keeps a small amount of data about a small group of people: the 9,487 residents of Madeira, Ohio (2020 census) and the small businesses they shop at. Most of what we hold is public anyway, a shop’s hours, a perk that’s currently running. The parts that aren’t public (your email, your phone, your check-in history) are protected with commercially reasonable controls, and we’d much rather hear about a problem from a researcher than from a headline.

1. Scope

This policy covers vulnerabilities affecting:

• The public Shop Madeira site at shop-madeira.com and m.shop-madeira.com.
• The merchant portal at merchant.shop-madeira.com and the operations console at admin.shop-madeira.com.
• The Fastify worker that handles stamp ledger writes, image generation, and notifications.
• The Shop Madeira iOS application distributed via the App Store.
• Our infrastructure, where the bug is in our configuration (an exposed bucket, an open port, a misconfigured CSP). We can’t accept reports about the underlying provider (Vercel, Neon, Fly.io, Clerk, Upstash), please report those to the provider directly.

We cannot accept reports affecting third-party services we do not control, or affecting sites that look like Shop Madeira but use a different domain.

2. How to report

Email security@shop-madeira.com with:

• A description of the issue, the impact, and the surface affected.
• Steps to reproduce that a developer can follow without guessing.
• Any proof-of-concept artifacts (a payload, a request, a screenshot).
• How we should credit you, if at all.

We will acknowledge your report within two business days and aim to give a first substantive response within seven calendar days. We work in Eastern Time, and we’re a small team, please bear with us on weekends and US holidays.

3. Safe-harbor

We will not pursue legal action, file a Computer Fraud and Abuse Act complaint, or invoke the Digital Millennium Copyright Act against a researcher who:

• Acts in good faith to find and report a vulnerability.
• Tests only against accounts they own or have explicit permission to test.
• Avoids privacy violations, destruction of data, and interruption or degradation of the Service.
• Stops testing the moment they obtain evidence of a vulnerability and reports it promptly.
• Does not disclose the vulnerability publicly before we have agreed a timeline.

This safe-harbor is an authorization for the purpose of computer-misuse law in the United States; it does not authorize testing of third parties, of accounts you do not own, or actions outside the scope above.

4. Out of scope

The following are not eligible for coordinated disclosure under this policy:

• Reports that depend on social engineering of Shop Madeira staff or merchants (phishing, pretexting).
• Physical attacks against our offices or staff.
• Volumetric or denial-of-service tests. Do not run scanners against our production surfaces. We will assume any traffic burst is malicious.
• Findings that depend on outdated browsers, jailbroken devices, or stolen credentials.
• Self-XSS, missing security headers without an associated impact, lack of HTTPS on marketing redirects, version banners.
• Issues in third-party providers (Vercel, Neon, Clerk, Fly.io, Upstash, Resend, fal.ai) where Shop Madeira’s configuration is correct, please report directly to the provider.

5. Disclosure timeline

We aim to:

• Acknowledge your report within two business days.
• Triage and confirm or refute within seven calendar days. If we need longer, we will tell you why.
• Ship a fix to the affected surface within thirty days for high-severity issues and within ninety days for everything else. If a fix needs to wait longer (an upstream dependency, a coordinated release with a provider), we will agree a date with you.
• Coordinate public disclosure with you. Our default position is to publish a short post-mortem when the fix ships, naming you in the credits if you would like.

6. Recognition

We don’t run a paid bug bounty. We do run a recognition wall on this page (added below as we publish credits) and on the security wall at our office. If your report materially reduces risk for our neighbors, we will say thank you, publicly, with your consent.

7. Our practices, briefly

A short summary so you know what to expect when probing the surface area:

• All public surfaces are served over HTTPS with HSTS preload. Mixed content is blocked at the CSP level.
• The stamps ledger is append-only at the database level; writes go through a single worker endpoint with an internal-token guard. The DB has an immutability trigger.
• Every admin and merchant write is audit-logged in the same transaction as the mutation.
• The admin console is IP-restricted. Direct browser access from outside the allowlist short-circuits to /access-denied before any data is fetched.
• Authentication is managed by Clerk. We rotate session secrets, enforce phishing-resistant second factors for staff, and run a Clerk storage janitor that clears stale dev keys on first load.
• Customer payment data is never stored on our servers, we don’t process payments at checkout in v1. Merchant subscriptions are billed through a processor; we hold a token, not the card.
• We rotate secrets through Vercel + Fly environment variables. Production secrets are never committed to git.

8. About this policy

This policy is published by LeadTimber LLC, the operator of Shop Madeira. It is reviewed at least once a year and any time we make a substantial change to our security posture or threat model.

For non-security inquiries, privacy, accessibility, account questions, see the contact addresses listed on the Privacy Policy and Accessibility Statement.