Djoji is a security product. We expect our own software to meet the bar we hold our customers' software to. This page is how to reach us about a vulnerability, what's in scope, and who has helped us improve.
Reporting a vulnerability
Email security@djoji.com with a clear reproduction, impact assessment, and any proof-of-concept code or traffic captures. Please give us a reasonable window to respond before public disclosure.
We acknowledge receipt of every well-formed report within 3 business days.
We aim to triage within 7 days and remediate within 90 days for High/Critical issues.
We will not pursue legal action against good-faith security research conducted within the scope below.
In scope
djoji.com and subdomains
The scanner pipeline (passive checks, scoring engine, Ghost Echo, Claude narrative)
The customer report surfaces (/results/[id], /compare, embeddable badge)
Authentication and account isolation (Clerk integration, paywall gate, comp-account handling)
Out of scope
Findings already enumerated in our public audit chain (see AUDIT_INDEX.md in the repo) — we're working through them on a published schedule.
Rate-limit / denial-of-service tests without prior written coordination.
Social-engineering of Djoji staff, contractors, or customers.
Physical-security testing.
Reports for third-party services (Vercel, Supabase, Clerk, Anthropic, Resend) — please report those directly to the vendor.
Acknowledgments
We thank the following researchers for responsibly disclosed findings. Your name appears here at your request — let us know how you'd like to be credited.
No external researchers yet — this list begins with the first disclosed finding.
Last updated 2026-05-23 · This policy may evolve as the product matures; check /.well-known/security.txt for the canonical expiry date.