Security
Security
Last updated: April 19, 2026
We take the security of neverboringnow and our users' data seriously. Protecting the information you trust us with is a core priority, not an afterthought. This page describes the controls we have in place and how security researchers can report vulnerabilities to us.
How we protect your data
- •Authentication. Passwordless Magic Link OTP via Supabase Auth. We do not store user passwords.
- •Database isolation. Row-level security (RLS) enforced on all tables. A database trigger additionally prevents user clients from modifying protected columns.
- •Encryption. Data encrypted at rest (Supabase-managed) and in transit (TLS via Cloudflare).
- •Input validation. Prompt injection filters, schema and length validation, and parameterized database queries on every API endpoint.
- •Webhook integrity. Inbound payment webhooks are verified with HMAC-SHA256 timing-safe comparison before any state change.
- •Network hardening. HTTPS with HSTS. Response headers include X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Cloudflare Bot Fight Mode, Rate Limiting, and AI Labyrinth are enabled.
- •Email security. DMARC (quarantine policy), SPF, and DKIM configured. Inbound mail routed via Cloudflare Email Routing.
- •Privacy and data lifecycle. GDPR and CCPA compliant. Account deletion is available in account settings and removes all associated data. Cookie consent with granular control; analytics run only after explicit opt-in.
- •Payment data. Credit card details are never stored on our servers. Lemon Squeezy (PCI-DSS compliant) handles all payment processing as the merchant of record.
Reporting a vulnerability
If you discover a security vulnerability affecting neverboringnow, please report it by email to security@neverboringnow.com.
Please include:
- A clear description of the vulnerability
- Steps to reproduce, including any required accounts, payloads, or preconditions
- Impact assessment (what an attacker could do)
- Affected URL(s) or endpoint(s)
- Suggested remediation (optional)
We accept reports in English.
Scope
In scope
- neverboringnow.com and all its API endpoints (/api/*)
- Cloudflare Workers deployment (neverboringnow.neverboringnow.workers.dev)
- Authentication flow (Magic Link via Supabase Auth)
- /.well-known/security.txt
Out of scope — report to the vendor directly
Issues affecting our subprocessors should be reported to the respective vendor. See the Subprocessors section below for contact points.
Not eligible under this policy
- Denial-of-service, volumetric, or load-testing attacks
- Automated scanning that degrades service quality
- Missing security headers without a demonstrated impact
- Self-XSS or issues requiring physical access to the victim's device
- Social engineering of our staff, contractors, or users
- Clickjacking on pages without sensitive actions
- CSRF on logout or unauthenticated endpoints
- Bugs requiring outdated, rooted, or jailbroken devices
- Rate-limit bypass without demonstrated harm
- UI/UX issues without a security impact
- Issues affecting third-party integrations we do not control
What we ask of researchers
In participating in our disclosure program in good faith, we ask that you:
- Make a good-faith effort to avoid privacy violations, service disruption, and data destruction
- Access only the minimum data needed to demonstrate a vulnerability; stop immediately upon encountering personal data (PII) and report the issue
- Use only test accounts you control or for which you have explicit permission
- Avoid automated scanning that may affect service reliability for other users
- Do not engage in social engineering, physical attacks, or extortion
- Refrain from public disclosure before we have had a reasonable opportunity to remediate
- Report the vulnerability promptly once identified
What you can expect from us
- Acknowledgment of receipt within 2 business days
- Initial triage and a response on next steps within 5 business days
- Progress updates as we work toward remediation
- Public acknowledgment in our recognition list (with your consent) once the fix is deployed
As a small team, remediation timelines will be proportionate to severity. Critical issues receive immediate priority.
Coordinated disclosure
Please allow at least 90 days from the initial report before publicly disclosing a vulnerability, or coordinate an earlier disclosure date with us once the fix is deployed. If you believe a vulnerability poses an active risk to users and 90 days is insufficient, contact us and we will work with you on an appropriate timeline.
Safe harbor
We consider security research conducted in accordance with this policy to be:
- Authorized under applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy
- Authorized under relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls
- Exempt from restrictions in our Terms of Service that would otherwise prohibit security research activities, waived on a limited basis for researchers complying with this policy
- Lawful, helpful to the overall security of the internet, and conducted in good faith
If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were authorized.
This safe harbor applies only to legal claims under our control; it does not bind independent third parties, including the subprocessors listed below. If you are unsure whether your planned research is consistent with this policy, please contact us at security@neverboringnow.com before proceeding.
Recognition
We do not currently operate a monetary bug bounty program. For valid, previously unreported vulnerabilities we will:
- Publicly credit you in our acknowledgments list below (with your consent) after the fix is deployed
- At our discretion, offer a token of appreciation for exceptionally high-impact reports
Acknowledgments
No acknowledgments yet. Your name could be here.
AI and model safety reports
As an AI-powered product, we also welcome reports specific to model behavior. Examples of in-scope AI issues:
- Prompt injection that causes data to leak between users
- Ability to extract our system prompts or other users' survey data
- Manipulation of survey results visible to other users
- Model outputs that bypass safety filters and produce harmful content
- Training-data extraction from generated persona responses
For AI-related reports, please prefix your email subject line with [AI-Security] so we can route it appropriately.
Subprocessors
We rely on the following subprocessors to operate the service. Security issues affecting these services should be reported directly to the respective vendor:
- Supabase — database and authentication — supabase.com/security
- Cloudflare — hosting, DNS, CDN, Workers — cloudflare.com/disclosure
- Lemon Squeezy — payment processing — help@lemonsqueezy.com
- Resend — transactional email — resend.com/security/responsible-disclosure
- OpenAI — AI persona generation — openai.com/security
- Google — analytics (opt-in only) — bughunters.google.com
Contact
Security issues: security@neverboringnow.com
Non-security inquiries: hello@neverboringnow.com