Security Policy

BurnLink takes security seriously. If you discover a vulnerability, we ask that you report it to us privately before disclosing it publicly. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly.

How to report

Send a detailed report to hello@paperfrogs.dev. Please include:

A description of the vulnerability, steps to reproduce it, the potential impact, and any proof-of-concept code or screenshots. We will respond within 48 hours and keep you updated throughout remediation.

In scope

  • Client-side cryptographic implementation flaws that expose plaintext data
  • One-time link bypass — race conditions, caching, or replay attacks
  • IDOR (Insecure Direct Object Reference) on /api/ endpoints
  • Password protection logic flaws (brute-force bypass, timing attacks)
  • Authentication or authorization bypasses
  • Cross-site scripting (XSS) that can steal keys or hijack sessions
  • Server-side request forgery (SSRF)
  • Sensitive data leakage (metadata, filenames, encryption keys)

Out of scope

  • Denial-of-service attacks, volumetric flooding
  • Social engineering or phishing of BurnLink staff
  • Vulnerabilities in third-party dependencies unless directly chainable to data loss or RCE
  • Self-XSS with no realistic attack vector
  • Missing HTTP headers without a demonstrable exploit
  • Rate limiting on non-sensitive endpoints
  • Physical security

Recognition

We do not offer monetary bounties. Instead, valid reporters are recognized publicly in our Hall of Fame (with their consent) and receive the following acknowledgements based on severity:

Critical
Hall of Fame + Special Thanks
High
Hall of Fame + Shoutout
Medium
Hall of Fame
Low / Info
Honorable Mention

First reporter of a valid, previously unknown issue is eligible. Duplicate reports are not. You may opt for anonymous credit if you prefer not to be named.

Scope

The following hosts are in scope:

burnlink.page *.burnlink.page

Rules of engagement

  • Do not access, modify, or delete data that does not belong to you
  • Do not perform active exploitation against real users or their files
  • Do not perform denial-of-service testing against production systems
  • Give us reasonable time to remediate before any public disclosure
  • Act in good faith — we will do the same
BurnLink's primary security promise is that the raw encryption key never leaves your browser and that one-time links are truly one-time. Any finding that breaks either of these guarantees will be treated as critical severity regardless of CVSS score.

Hall of Fame

Security researchers who responsibly disclosed valid vulnerabilities and helped make BurnLink safer are recognized on our dedicated Hall of Fame page, along with the full findings log.

View Hall of Fame & Findings Log →
Report a vulnerability Hall of Fame security.txt