If you have found a vulnerability in The Living Chronicle, please report it to us privately so we can fix it before it gets exploited.
How to report
Email security@aegisbrightsmark.com with:
- A description of the issue.
- Steps to reproduce, if possible.
- The affected URL, endpoint, or app screen.
- Your name and contact info, so we can credit you in the Hall of Fame (optional).
If you need to encrypt the report, we will publish a PGP key on the /security page once the security.txt is live.
Scope
In scope:
- The production API at
api.thelivingchronicle.com. - The web at
thelivingchronicle.comand all subdomains. - The iOS and Android apps.
Out of scope:
- Denial of service / volumetric attacks.
- Physical attacks.
- Social engineering of staff.
- Issues that require physical access to an unlocked device.
Rules of engagement
- Do not exfiltrate user data. If you can prove the issue with a single test record, that is enough.
- Give us 90 days to fix before public disclosure.
- Do not perform automated scans against production. If you need to scan, contact us and we will set up a staging instance.
Response time
We acknowledge security reports within 48 hours. We aim for a fix within 30 days for high severity, 90 days for medium, longer for low.
Bug bounty
We are a small team and do not currently offer monetary bug bounties. We do credit researchers in our Hall of Fame and respond promptly.