report it. we'll fix it. we'll credit you.

Email support@satus.sh with a subject line beginning SECURITY: followed by a short summary. Until a dedicated security@ mailbox is published per RFC 9116, support@ is the canonical address and is monitored by a human on every business day.

Please include:

• A description of the issue and its impact.
• Reproduction steps, a proof-of-concept, or a minimal failing schema.
• The affected version (satus --version) and runtime (Node version, operating system).
• Your preferred name and contact for credit, or a request to remain anonymous.

Please do not open public GitHub issues, post to social media, or share details with third parties before we have had a chance to respond.

• Acknowledgement within 2 business days.
• Triage decision (accepted, needs more info, not a vulnerability) within 7 business days.
• Coordinated disclosure timeline agreed with the reporter. Default embargo is 90 days from triage, shortened if a fix ships sooner.
• Credit in the release notes for the fix, unless anonymity is requested.

In scope:

• The satus CLI—the satus binary distributed on npm and Homebrew.
• The satus.sh marketing site and the license-verification API (/api/public/license/verify, /api/public/payments/webhook).
• License-delivery emails sent from PasskeyBridge LLC infrastructure.

Out of scope:

• Issues that require physical access to a user's machine.
• Denial-of-service via deliberate misuse of the user's own LLM API key quota.
• Social engineering of PasskeyBridge LLC staff or customers.
• Findings on third-party services (Stripe, the user's chosen LLM provider, the user's database). Please report those to the respective vendors.

satus is a CLI you run locally or in your own CI. The schema it introspects, the rows it generates, and the database it writes to never traverse PasskeyBridge LLC infrastructure.

• LLM API key. Bring-your-own. The key is read from OPENAI_API_KEY at runtime, sent directly from your machine to your chosen provider, and never proxied through satus.sh.
• Database URL. Read from DATABASE_URL at runtime. satus connects directly to your Postgres; we never see the connection string or the data it returns.
• Telemetry. Off by default. No automatic schema uploads, no command-line argument collection.
• License records. Email address, Stripe customer ID, and license key are stored in an encrypted Postgres database managed by PasskeyBridge LLC. See the privacy policy for retention.

• TLS everywhere. All traffic to satus.sh and to /api/public/license/verify is served over TLS terminated at Cloudflare.
• Encrypted at rest. License records live in a Supabase-managed Postgres database with disk-level encryption.
• Payments. Card data is handled exclusively by Stripe (PCI-DSS Level 1). satus.sh never sees a primary account number; we store only the Stripe customer ID and the resulting license key.
• Webhooks. The Stripe webhook endpoint verifies the Stripe-Signature HMAC on every request before touching the database.
• Secrets. Service-role credentials are held in Cloudflare Workers environment variables and are never exposed to the browser bundle.

We will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy.
• Avoid privacy violations, data destruction, and service degradation.
• Give us reasonable time to remediate before public disclosure.

Thank you for helping keep satus.sh users safe.