Skip to content

Security & Responsible Disclosure

Effective: May 22, 2026

Junipy is operated by Make It Radder LLC dba Junipy. We welcome reports from security researchers, customers, and the public about vulnerabilities in Junipy. This page is the public version of our responsible-disclosure policy. The machine-readable contact information is available at /.well-known/security.txt per RFC 9116.

How to report

  • Email: security@junipy.com.
  • Subject line: start with [SECURITY] and a brief category (e.g. [SECURITY] IDOR in /api/transactions).
  • Include: affected URL/endpoint, reproduction steps, expected vs. actual behavior, impact assessment, and (if applicable) a proof-of-concept. Screenshots and short videos are welcome.
  • Do not include real customer data. If you encountered customer data during testing, stop, do not save or transmit it, and tell us in the report.

We do not currently publish a PGP key. If you need to encrypt sensitive details, email us first and we will arrange a secure channel before you transmit specifics.

Response SLAs

  • Initial acknowledgement: within 5 business days of receipt.
  • Triage (severity + scope confirmed): within 10 business days.
  • Resolution: 30 calendar days for High/Critical findings; longer windows possible for Low/Medium with researcher agreement.
  • Public credit: after the fix is live and a reasonable observation window has passed, with your permission.

If you have not heard from us within 5 business days, reply to your original message — emails can get filtered. If still no response, contact nate@junipy.com as a backup.

Scope

In scope

  • junipy.com and any subdomain we operate.
  • The Junipy web application (App Router pages, API routes, server actions).
  • Authentication and session management (email magic link, Google OAuth, session timeout, MFA).
  • Plaid integration (link token exchange, webhook handler, reconnect flow).
  • Admin dashboards.
  • Public-facing endpoints (/privacy, /terms, /security, splash page, waitlist).

Out of scope

  • Denial-of-service, volumetric or application-layer load testing, or any test that risks impact to legitimate users. Rate limits are intentional.
  • Social engineering of Junipy staff, customers, vendors, or contractors.
  • Physical attacks against any individual, residence, or facility.
  • Attacks requiring a privileged position on the victim’s device (existing malware, browser exploits against unpatched users).
  • Issues in third-party services we depend on (Plaid, Vercel, Neon, Resend, Sentry, Upstash, Google OAuth). Report those to the respective vendor; we are happy to coordinate.
  • Self-XSS requiring console paste.
  • Missing security headers without a demonstrated exploit.
  • Outdated dev dependencies (we audit weekly via Dependabot + npm audit in CI).
  • Reports from automated scanners with no demonstrated impact.
  • Spam, abuse, or content moderation issues — those go to support@junipy.com.

If you are unsure whether something is in scope, ask. We would rather hear about a borderline issue than miss a real one.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will not pursue or support legal action against you for the activities described below, and we will treat your research as authorized under the Computer Fraud and Abuse Act (CFAA), the DMCA’s anti-circumvention provisions, and applicable Arizona state law. Specifically, we will not pursue you for:

  • Accessing data only to the extent strictly necessary to demonstrate the vulnerability.
  • Avoiding violation of privacy, destruction of data, or disruption of service.
  • Reporting promptly and giving us a reasonable opportunity to remediate before public disclosure.
  • Acting in good faith (no extortion, no monetization of vulnerabilities, no leveraging access for personal gain beyond standard acknowledgments).

If you violate these terms — for example by exfiltrating customer data, testing against unwilling third parties, or publicly disclosing before remediation — safe harbor does not apply.

This safe-harbor language applies only to Make It Radder LLC dba Junipy and is not a release of liability for third parties.

Coordinated disclosure

We ask researchers to give us a reasonable window — typically 30 to 90 days depending on severity — before publicly disclosing details. When a fix is live, we are happy to acknowledge you publicly (with your permission), coordinate the timing of any blog post or advisory you publish, and provide a brief written acknowledgment for your CV or portfolio.

What we don’t offer (yet)

  • No monetary bug bounty at this time. Junipy is pre-revenue (closed beta). We may launch a bounty program post-public-GA. For now we offer public acknowledgment and a sincere thank-you.
  • No swag or branded merchandise.
  • No CVE assignment from us directly — for findings warranting a CVE, we coordinate with MITRE or the relevant CNA via vendor bounty programs when the issue traces to those layers.

Changes to this policy

We may update this policy as Junipy grows. Material changes will be reflected in the Expires field of /.well-known/security.txt and the effective date on this page. Researchers with an active disclosure in flight will be notified by email of any material change before it affects their report.