Skip to content
HappyLinks

Trust

Security Policy.

Last updated: May 12, 2026

We take the security of HappyLinks and the sites in our network seriously. If you believe you have found a security vulnerability in any HappyLinks product or service, we want to hear from you, and we will work with you to resolve it quickly. This page describes how to report, what is in scope, and what you can expect from us in return.

1. Reporting a vulnerability

Please email reports to security@happylinks.io. If your report contains sensitive technical detail, you may encrypt it using our PGP key.

A useful report typically includes:

  • A clear description of the issue and its impact
  • Steps to reproduce, ideally with a proof-of-concept request, payload, or script
  • The affected URL, endpoint, plugin version, or product area
  • Your name or handle as you would like it to appear in the Hall of Fame (optional)

Our commitment: we will acknowledge your report within 48 hours, give you a triage update within 5 business days, and keep you informed as we work on a fix.

2. Scope

In scope:

  • The HappyLinks web application (happylinks.io and *.happylinks.io)
  • The HappyLinks public API and OAuth endpoints
  • The HappyLinks WordPress plugin (current and previous minor version)
  • Authentication, authorization, and account-takeover paths
  • Link-injection, request, and approval flows that could let one network member affect another

Out of scope:

  • Vulnerabilities in third-party dependencies that we have not yet had a reasonable chance to patch, unless you can demonstrate a concrete exploit against HappyLinks
  • Social engineering of HappyLinks staff, customers, or vendors
  • Denial-of-service, volumetric, or resource-exhaustion attacks
  • Physical attacks against HappyLinks offices or staff
  • Reports based solely on automated scanner output with no demonstrated impact
  • Missing security headers, cookie flags, or TLS configuration issues without a demonstrated exploit
  • Self-XSS, clickjacking on pages with no sensitive actions, and CSRF on unauthenticated forms

3. Safe harbor

We will not pursue or support legal action against researchers who, in good faith:

  • Make a sincere effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Only interact with accounts they own or have explicit permission from the account holder to access
  • Do not exfiltrate more data than is necessary to demonstrate the vulnerability
  • Report the vulnerability to us promptly via security@happylinks.io and give us a reasonable chance to fix it before public disclosure
  • Comply with all applicable laws

We consider research conducted under this policy to be authorized, and we will work with you in good faith to resolve issues. If a third party initiates legal action against you for activity that complied with this policy, we will make this authorization known.

4. Coordinated disclosure

We follow a coordinated disclosure model with a 90-day timeline:

  • Day 0: You report the issue. We acknowledge within 48 hours.
  • Days 1–5: We triage, confirm, and assign severity.
  • Days 5–90: We develop, test, and ship a fix, keeping you updated on progress.
  • Day 90: Public disclosure window opens. By default we publish a write-up jointly with you. If we need more time, we will say so before day 90 and propose a new date.

We ask that you do not publicly disclose details before the agreed disclosure date, and that you do not use the issue to access, modify, or destroy data you do not own.

5. Bug bounty

We do not offer paid bug bounties at this time. We have written up our decision rationale so researchers know what to expect. In short: HappyLinks is early-stage, and we would rather invest in fast acknowledgments, real coordinated-disclosure relationships, and public credit than run an underfunded payout program.

For confirmed, in-scope vulnerabilities we offer:

  • A personal thank-you from the engineering team
  • Public credit in our Hall of Fame (with your permission)
  • HappyLinks swag, at our discretion

We plan to revisit this decision 6–12 months after launch.

6. PGP key

Our PGP key is published at /.well-known/pgp-key.txt. The key fingerprint will be listed here once the key is generated and rotated through our internal process.

7. Hall of Fame

Thank you to the researchers who have helped keep HappyLinks safe. With their permission, we list them here.

No reports yet — be the first.

8. Contact

All security correspondence should go to security@happylinks.io. For non-security questions, please see our Privacy Policy or Terms of Service.