Security Policy

Last updated: April 2025

At SavePorn, the security of our Service and our users' data is a top priority. This policy outlines our security practices, how to report vulnerabilities, and what to expect when you do.

1. Reporting Security Vulnerabilities

If you discover a security vulnerability in SavePorn, we ask that you report it to us responsibly. Please send details to:

security@save.porn

When reporting, please include:

• A description of the vulnerability and its potential impact.
• Steps to reproduce the issue, including any relevant URLs, parameters, or payloads.
• The type of vulnerability (e.g., XSS, SQL injection, authentication bypass, data exposure).
• Any screenshots, logs, or proof-of-concept code that demonstrates the issue.

2. Responsible Disclosure

We kindly request that you:

• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.
• Do not access, modify, or delete other users' data as part of your research.
• Do not perform actions that could degrade the Service for other users (e.g., denial-of-service attacks, brute-force attempts at scale).
• Make a good-faith effort to avoid violating the privacy of others.

We will not pursue legal action against individuals who discover and report vulnerabilities in accordance with this policy.

3. Our Response

When you report a vulnerability, you can expect:

• Acknowledgment within 48 hours of your report.
• An initial assessment of the issue within 5 business days.
• Regular updates on our progress toward resolving the issue.
• Credit (if desired) in any public acknowledgment of the vulnerability, once it has been resolved.

4. Scope

The following are in scope for security reports:

• The SavePorn web application at save.porn.
• The SavePorn API.
• Authentication and session management.
• Payment processing flows.
• Browser extensions and native applications published by SavePorn.

The following are out of scope:

• Third-party services we integrate with (Cloudflare, Resend, blockchain networks).
• Social engineering attacks against SavePorn employees or users.
• Physical attacks against SavePorn infrastructure.
• Vulnerabilities in software or systems not owned or operated by SavePorn.

5. Security Practices

SavePorn employs the following security measures to protect user data:

• Encryption in transit: All connections use TLS. Unencrypted HTTP requests are redirected to HTTPS.
• Encryption at rest: User data is stored on Cloudflare's infrastructure with encryption at rest.
• Authentication: We use time-limited magic codes sent via email — no passwords are stored. Sessions use httpOnly, Secure, SameSite=Lax cookies.
• Access control: All API endpoints that access user data require authentication. Users can only access their own data.
• No tracking: We do not use analytics, advertising trackers, or fingerprinting. See our Privacy Policy for details.
• Minimal data collection: We collect only the data necessary to operate the Service.

6. security.txt

In accordance with RFC 9116, we publish a security.txt file at /.well-known/security.txt containing our security contact information and this policy's URL.

7. Contact

For all security-related matters, contact us at:

security@save.porn