Security

How Sindro LLC protects DupeDJ, and how to responsibly report security issues you find.

Report a vulnerability

Email security@dupedj.com with a description, reproduction steps, and any proof-of-concept material. PGP key available on request. We aim to acknowledge within two (2) business days and provide a remediation estimate within ten (10) business days for confirmed vulnerabilities.

Scope

In scope:

  • The DupeDJ desktop application (Windows + macOS builds shipped by Sindro LLC)
  • The dupedj.com website and all *.dupedj.com subdomains
  • Public API routes under https://dupedj.com/api/*
  • The license activation, validation, and signing flow

Out of scope (please don't test these):

  • Anything that disrupts service for legitimate users (DoS, brute force, etc.)
  • Social engineering of Sindro LLC staff or our vendors
  • Physical attacks against Sindro LLC offices or hardware
  • Third-party services (Stripe, Neon, Vercel, Resend) — report directly to them
  • Findings only exploitable with already-compromised user credentials or hardware

Safe harbor

Sindro LLC will not pursue civil or criminal action against you for security research conducted in good faith and in accordance with this policy. We follow the principles set out at disclose.io: good-faith research, no harm to users, respect for privacy, no extortion, and reasonable disclosure timelines.

Severity classes

  • Critical: remote code execution, full license bypass, theft of payment data, or unauthorized access to user accounts at scale
  • High: single-account compromise, payment-flow tampering, signed-token forgery
  • Medium: stored XSS, IDOR on non-sensitive endpoints, privilege escalation within a user's own account
  • Low: missing security headers, verbose error messages, reflective XSS gated on user interaction

Sindro LLC does not currently run a paid bug-bounty program. We may offer thanks, swag, or a public hall-of-fame credit at our discretion.

Security architecture summary

  • License tokens are Ed25519-signed by a server-held private key; the desktop verifies tokens locally with a baked-in public key.
  • License keys are stored in the OS keychain on the desktop where available, with a fallback to a file in the app data directory.
  • License-file writes on the desktop use atomic temp-file + fsync + rename.
  • Per-tier offline grace windows: 1d / 7d / 14d / 30d (Trial / Personal / Pro / Lifetime).
  • Server-side metered endpoints verify the signed token in soft-fail mode (will become hard-fail after rollout).
  • Webhook idempotency is enforced server-side via a dedicated WebhookEvent table.
  • Passwords for email/password accounts are bcrypt hashed (work factor 12); social sign-in (Google/Discord) bypasses local password storage entirely.

security.txt

We publish a security.txt in the format defined by RFC 9116.

Contact

Sindro LLC

853 9th Street, Santa Monica, CA 90403, USA

Security: security@dupedj.com