Security

Djoji is a security product. We expect our own software to meet the bar we hold our customers' software to. This page is how to reach us about a vulnerability, what's in scope, and who has helped us improve.

Reporting a vulnerability

Email security@djoji.com with a clear reproduction, impact assessment, and any proof-of-concept code or traffic captures. Please give us a reasonable window to respond before public disclosure.

Our machine-readable contact record lives at /.well-known/security.txt per RFC 9116.

Our commitments

  • We acknowledge receipt of every well-formed report within 3 business days.
  • We aim to triage within 7 days and remediate within 90 days for High/Critical issues.
  • We will not pursue legal action against good-faith security research conducted within the scope below.

In scope

  • djoji.com and subdomains
  • The scanner pipeline (passive checks, scoring engine, Ghost Echo, Claude narrative)
  • The customer report surfaces (/results/[id], /compare, embeddable badge)
  • Authentication and account isolation (Clerk integration, paywall gate, comp-account handling)

Out of scope

  • Findings already enumerated in our public audit chain (see AUDIT_INDEX.md in the repo) — we're working through them on a published schedule.
  • Rate-limit / denial-of-service tests without prior written coordination.
  • Social-engineering of Djoji staff, contractors, or customers.
  • Physical-security testing.
  • Reports for third-party services (Vercel, Supabase, Clerk, Anthropic, Resend) — please report those directly to the vendor.

Acknowledgments

We thank the following researchers for responsibly disclosed findings. Your name appears here at your request — let us know how you'd like to be credited.

No external researchers yet — this list begins with the first disclosed finding.

Last updated 2026-05-23 · This policy may evolve as the product matures; check /.well-known/security.txt for the canonical expiry date.

Security — Djoji Ghost Protocol