DispatchPrep · Security
Responsible Disclosure
We take security seriously. If you've found a vulnerability in DispatchPrep — the website, the audio modules, the Stripe checkout flow, the authentication system, or any of our Netlify functions — please report it to us privately so we can fix it before it can be exploited.
How to report
Email security@dispatchprep.com with:
- A clear description of the issue and where you found it (URL, function name, screen, etc.).
- Steps to reproduce, including any payloads, headers, or specific account state required.
- Your assessment of the impact (data exposure, privilege escalation, financial impact, denial of service, etc.).
- Optional: a suggested fix.
What we promise
- We'll acknowledge your report within 72 hours (usually same-day).
- We'll keep you updated on triage and fix status while we investigate.
- We won't pursue legal action against researchers acting in good faith under this policy.
- We'll credit you publicly (with your permission) once the fix is shipped.
Scope
In-scope: anything on dispatchprep.com and its subdomains, the Netlify functions under /.netlify/functions/*, the Supabase project (trdmslucwncsukrgeptm), and any code in the public dispatchprep/dispatchprep GitHub repository.
Out of scope
- Social engineering of DispatchPrep staff, customers, or contractors.
- Physical attacks, brute-force password attacks, denial-of-service attacks, or anything that intentionally degrades service for legitimate users.
- Vulnerabilities in third-party services we depend on (Stripe, Supabase, Netlify, Cloudflare, etc.) — please report those directly to the vendor.
- Reports of missing security headers or version-disclosure issues without a demonstrated impact.
- Automated scanner output without a working proof-of-concept.
Rewards
DispatchPrep is a small, early-stage company and does not currently offer monetary bug bounties. We do offer public credit, a written thank-you, and the satisfaction of knowing real public safety dispatchers will train on a safer platform because of your work.
Machine-readable contact
This site publishes an RFC 9116 security.txt at the standard /.well-known/security.txt location.