Security Policy

How to report a security issue

Email us directly. We respond within 48 hours - no ticketing system, no corporate black hole, just us.

Email: security@workoutgen.app

RFC 9116 file: /.well-known/security.txt

Please include

• Clear reproduction steps
• Measurable impact
• Affected scope (URL, endpoint, user flow)
• Proof of concept or screenshots when possible

Scope

This policy covers workoutgen.app, my.workoutgen.app, and all related services. If you are unsure whether something is in scope, ask first - we would rather have a false alarm than miss a real issue.

What we ask of you

• Do not access or copy user data beyond what is strictly needed to prove the vulnerability exists
• Do not run denial-of-service tests - our infrastructure is lean and we pay for every request
• No social engineering, phishing, or physical attacks
• If you accidentally access something sensitive, stop and tell us - we will keep it confidential and work with you, not against you

What you can expect from us

We will acknowledge your report within 48 hours and be transparent about what we find and what we can realistically do. We will not take legal action against good-faith security research.

We are a two-person team, so timelines depend on severity and complexity. Critical issues always get immediate attention.

Hall of Fame

These researchers chose to help instead of harm. We are grateful.