Responsible disclosure

Found something? Tell Devon directly.

RepairVerdict is built and maintained by one person; the security-reporting channel is one inbox. Devon reads every report within 24 hours and treats security work as a first-class priority over feature work.

Last updated: May 21, 2026

Direct channel

smithperformanceproductions@gmail.com

Subject line: Security report — that lifts your message into Devon’s priority triage queue. Include reproduction steps, expected vs actual behavior, and what data the issue could expose if exploited. Devon will reply within 24 hours.

In scope

Authentication, authorization, session handling on /admin and member areas
Stripe webhook signature verification + checkout-session integrity
Verdict-claim token issuance, hashing (SHA-256), and single-use enforcement
Customer-PII handling (VIN, ZIP, contact_email) at rest and in transit
RLS policies on `inspections`, `verdicts`, `report_claim_tokens`, `customers`
Server-action input validation + sanitization (Zod schemas)
Cron auth (`/api/admin/*`, `/api/webhooks/stripe`) + the platform-header fallback
API rate-limiting + abuse prevention
CSRF / CORS / Content-Security-Policy posture

Out of scope

Reports generated solely by automated scanners with no demonstrated impact
Missing security headers without a demonstrated exploit path
Theoretical risks without a working proof-of-concept
Issues in upstream Makerkit / Next.js / Supabase / Vercel core (report directly to those projects)
Volumetric DoS (we run on Vercel Fluid Compute behind their edge — that's their layer)
Brute-forcing public Verdict UUIDs (consumer Verdicts use the UUID as their bearer secret by design; see /security)
Social-engineering, phishing, or physical attacks against Devon or Smith Performance Productions LLC

What you can expect from us.

Acknowledgement

Within 24 hours

Devon personally reads every security report and replies with a triage assessment.

Triage

Within 5 business days

Severity assigned, scope confirmed, ETA on fix communicated.

Fix

Severity-dependent

Critical / High: same week. Medium: within 30 days. Low: tracked publicly in the engine changelog.

Public disclosure

90 days from report

After the fix ships, we publish an entry to /changelog/engine if customer-facing. Reporter is credited with their permission.

Safe-harbor terms.

We follow the spirit of the disclose.io core terms.

Devon will not pursue legal action against good-faith security research that follows this policy.
You may make a good-faith effort to demonstrate the issue using a test account, your own data, or non-destructive techniques.
You may not access, modify, or destroy data that does not belong to you.
You may not exfiltrate data, even as a proof of concept; describing what you would have been able to access is sufficient.
You may not publicly disclose the issue before the agreed-upon disclosure date or until a fix has shipped — whichever comes first.

Acknowledgements.

Reporters who have followed this policy and helped harden RepairVerdict are listed here with their permission. No entries yet — RepairVerdict is a young product. We’ll add the first valid report when it lands, with the reporter’s consent.