Skip to main content

Security

Responsible Disclosure

We treat user trust and platform integrity as load-bearing infrastructure. If you have found a security issue, please tell us — we will work with you in good faith to fix it.

How to report

Email dpo@thegreensweep.org with a description, reproduction steps, affected URLs or endpoints, and any proof-of-concept material. Please do not test against real-user data.

For issues actively exploitable in production, mark the subject line [URGENT] and write to dpo@thegreensweep.org.

Acknowledgement

3 business days

Initial triage

7 business days

Scope

In scope

  • • thegreensweep.org production site
  • • /api/ routes on the production domain
  • • Auth flow: OAuth, magic links, WhatsApp OTP, passkey
  • • Vote integrity (multiple votes per period, vote-on-behalf, allocation manipulation)
  • • GDPR data subject requests and consent records
  • • Documented CSP, CSRF, and authorization model

Out of scope

  • • Denial-of-service / volumetric attacks
  • • Social engineering of staff or contractors
  • • Physical attacks
  • • Self-XSS requiring the victim to paste payloads
  • • Missing-header reports without an exploit path
  • • End-of-life browser issues
  • • Sanctioned-country geo-block bypass

Safe harbor

When you act in good faith and within the scope above, we will:

  • Treat your activity as authorised testing for the purposes of computer-fraud statutes in your jurisdiction and ours.
  • Not pursue or support legal action against you arising from your research.
  • Work with you to understand and resolve the issue promptly.

In return, please:

  • Avoid privacy violations, destruction of data, and degradation of the user experience during testing.
  • Allow a reasonable remediation window before public disclosure — by default, 90 days from initial acknowledgement, negotiable for complex issues.
  • Do not exploit a finding beyond the minimum required to demonstrate the issue.

Recognition

We are happy to credit researchers publicly. We do not currently run a paid bug bounty programme; please indicate in your report whether you would like public credit and under what name.

The hall of fame is currently empty. If you contribute, you can choose to be the first listed here.

What we have already shipped

  • Independent penetration test conducted 2026-04-22.
  • Strict Content Security Policy with nonce-based script-src 'strict-dynamic' (enforcing) plus a Trusted-Types Report-Only shadow policy.
  • Cross-Origin Opener Policy and Cross-Origin Resource Policy set to same-origin.
  • Passkey / WebAuthn MFA available; required for high-privilege admin surfaces (AAL2).
  • Sanctions geo-block at the edge (CU, IR, KP, SY, RU, BY) returning HTTP 451.
  • Cloudflare Turnstile bot challenge on the vote endpoint.
  • Nightly fraud sweep clustering by IP /24 subnet, email domain, and device fingerprint; escalates patterns of ten or more.
  • Referral-graph topology detection (circular chains, IP fan-out) with daily security digest.
  • CI security workflows: Gitleaks (per-PR delta + weekly full-history), npm audit with signature verification, Dependabot.
  • GDPR Article 15 (data export) and Article 17 (right to erasure) endpoints with audit-trail preservation per Recital 65.

Related

This page is a living document. Last revised 2026-04-25.