Typeee
Security
Reporting vulnerabilities and what we commit to · Last updated 2026-04-30
Found a security issue in Typeee? Send it to us. This page tells you where to send it, what's in scope, and what you can expect back.
How to report
typeee.security@wozi.io
A security.txt is published at /.well-known/security.txt.
If your report contains sensitive details, you can encrypt it with our PGP key (linked from security.txt).
What we commit to
- Acknowledgment within 5 business days of receiving your report.
- Initial triage assessment within 10 business days.
- No legal action against good-faith security researchers acting within the scope below.
- Public credit on request after a fix ships.
- Breach notification to affected users within 72 hours of confirming a breach, with a public post-mortem within 30 days.
In scope
- The Typeee Cloud handlers — open source at github.com/wozi-x/typeee-cloud.
- The Typeee Cloud database schema and stored procedures (in the same repo).
- The transparency endpoint at
api.typeee.app/transparency.
- The Typeee app's online-mode network behavior — including any traffic that bypasses our backend.
- The marketing site at
typeee.app.
Out of scope
- Vulnerabilities in our vendors — Lemon Squeezy, Supabase, OpenRouter, or upstream AI providers. Please report those directly to the vendor.
- Social engineering of Typeee personnel or our support channels.
- Denial-of-service attacks against our infrastructure.
- Reports that require physical access to a user's unlocked device.
- Theoretical issues without a working proof-of-concept.
What makes a good report
- A clear description of the issue and its impact.
- Reproduction steps a reviewer can follow.
- Affected version, commit SHA, or transparency-endpoint snapshot if relevant.
- Suggested fix, if you have one — optional but appreciated.
Don't test against real user data. Use your own test license, or ask us to provide a test environment.
Related