Security disclosure policy

Systems in scope

This policy applies to the QuizBase service at quizbase.runriva.com, its public API at /api/v1/*, its MCP server at /mcp, the documentation site under /docs, and assets served from those origins. Source code repositories on GitHub (maciejdzierzek/quizbase, maciejdzierzek/quizbase-sdk-ts, maciejdzierzek/quizbase-dumps-byasa) are also in scope when reporting vulnerabilities in code or releases.

Out of scope

• Third-party services we depend on (Stripe, Cloudflare, Railway, Backblaze B2, Resend, Sentry, npm packages, GitHub itself). Please report vulnerabilities in those services directly to the respective vendor.
• Other domains owned by Maciej Dzierżek that are not listed under "Systems in scope" — including maciejdzierzek.com, runriva.com, and app.runriva.com.

Our commitments

• Respond to your report promptly (target: initial acknowledgment within 3 business days), and work with you to understand and validate the issue.
• Keep you informed about the progress of the vulnerability as it is processed.
• Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
• Extend safe harbor for your vulnerability research that is conducted in line with this policy (see "Safe harbor" below).

What we ask of you

• Play by the rules — follow this policy and any other relevant agreements. If there is any inconsistency between this policy and other terms, this policy prevails for security research.
• Report any vulnerability you have discovered promptly.
• Avoid violating the privacy of others, disrupting our systems, destroying data, and degrading the user experience.
• Use only the official channels listed below to discuss vulnerability information with us.
• Give us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before disclosing it publicly. We will work with you on a coordinated disclosure timeline.
• Perform testing only on in-scope systems, and respect systems and activities that are out of scope.
• If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for a Proof of Concept; cease testing and submit a report immediately if you encounter user data (Personally Identifiable Information, payment data, or proprietary information).
• Do not engage in extortion, threats, or any communication that conditions a fix on payment outside this policy.

Official channels

Please report security issues by email to [email protected] with the subject line prefix [SECURITY]. The more details you provide (steps to reproduce, affected endpoints, impact, proof of concept), the easier it is for us to triage and fix the issue.

Machine-readable pointer per RFC 9116 is published at /.well-known/security.txt.

Safe harbor

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized with respect to any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy.
• Authorized with respect to any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
• Exempt from restrictions in our Terms of Service that would interfere with conducting security research — we waive those restrictions on a limited basis for research consistent with this policy.
• Lawful, helpful to the overall security of the internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance.

Note: this safe harbor applies only to legal claims under the control of QuizBase. It does not bind independent third parties.

Last updated

2026-05-11. This policy is reviewed quarterly. The /.well-known/security.txt Expires field tracks the next mandatory review date.