Security

• All traffic is served over TLS, with HTTP redirected to HTTPS.
• Sessions are managed with secure HTTP-only cookies. Passwords are never stored in plaintext.
• Server-side access uses minimum-privilege credentials. Admin and debug surfaces are gated by role and are not exposed in public navigation.
• Share links are unguessable tokens. Owners and admins can revoke any link they created, immediately and irreversibly.
• We rate-limit public endpoints and refuse to leak whether a given share token, account, or invite code exists when the caller is not authorized to know.

If you have found something that looks like a security issue, please email hello@redlionintel.com. Include enough detail for us to reproduce the issue — ideally the URL, a description of the unexpected behavior, and a minimal proof of concept.

We ask that you:

• Give us a reasonable opportunity to investigate and respond before publishing details.
• Avoid actions that would degrade service for other users (denial-of-service testing, automated scanning, social engineering of staff or partners).
• Avoid accessing or modifying data that does not belong to you, beyond the minimum needed to demonstrate the issue.

Acting in good faith under these guidelines, we will not pursue legal action for your research and will work with you to resolve the issue promptly.

• Findings from automated scanners without a working exploit.
• Missing security headers on third-party assets we do not control.
• Self-XSS that requires the user to paste content into the browser console.
• Reports that depend on outdated browsers or non-standard configurations.