Security
Report a Vulnerability
GalaxyWarden handles personal identifiers for breach lookups. If you find a security issue, we want to hear from you before a bad actor does.
Scope
In scope:
- galaxywarden.com and *.galaxywarden.com
- Authentication, session management, and account takeover vectors
- IDOR, SQL injection, XSS, SSRF, RCE
- Data exposure of breach-lookup results across users
- Payment/Stripe flow tampering
Out of scope:
- Findings from automated scanners without a working proof of concept
- Missing security headers on non-sensitive endpoints
- Self-XSS, clickjacking on pages without state-changing actions
- Rate-limit bypass on public marketing pages
- Social engineering of GalaxyWarden staff or users
Coordinated disclosure
- Please give us a reasonable window (30 days for low/medium, 14 days for critical) before public disclosure.
- Do not access accounts or data that isn't yours. Use a test account or your own account only.
- No brute-force, DoS, or automated flooding against production.
- We will acknowledge your report, keep you updated on remediation, and credit you in the hall of fame below unless you prefer to remain anonymous.
Hall of fame
Researchers who have responsibly disclosed issues to us will be listed here with their permission. The list is currently empty — be the first.
Data handling
- Breach-lookup queries are hashed and rate-limited; raw identifiers are not retained beyond the active session unless the user explicitly subscribes to continuous monitoring.
- Breach corpus sources: Have I Been Pwned + DeHashed (publicly disclosed breaches only).
- We do not sell user data. See /privacy and /responsible-use.