Scope
Report vulnerabilities in changelog.gg, public API routes, account and dashboard flows, Discord OAuth or bot integration, and billing integration issues to security@changelog.gg.
Include the affected URL, steps to reproduce, impact, screenshots or logs where useful, and a safe contact address.
Do not include personal data, secrets, tokens, payment data, or third-party confidential information in a report unless it is strictly necessary to demonstrate impact and you have minimized it.
Safe harbour
We will not pursue legal action for good-faith research that stays within this policy, avoids privacy violations, avoids data destruction, avoids persistence, avoids service disruption, and gives us a reasonable time to investigate before disclosure.
This is not a bounty program and does not promise payment, swag, credits, or public acknowledgement.
Out of scope
Do not run denial-of-service tests, spam Discord servers, attack users or third-party providers, access data that is not yours, use leaked credentials, bypass payment for paid use, or test physical, social, or phishing attacks.