Security Policy

Last updated: April 27, 2026

FinalDraft takes the security of our service and the data our users entrust to us very seriously. We welcome reports of security vulnerabilities from the security research community and operate a coordinated disclosure program.

Report to
curtis@finaldraft.dev
Acknowledgement
Within 72 hours
Triage
Within 7 days

1. Reporting a vulnerability

Email curtis@finaldraft.dev with the subject line Security report - [brief summary].

Please do not file a public GitHub issue, post on social media, or otherwise disclose the issue publicly until we have had a reasonable opportunity to investigate and remediate.

To help us triage your report quickly, please include where possible:

  • A clear description of the vulnerability and impact
  • Step-by-step reproduction instructions
  • Affected URLs, endpoints, OAuth scopes, or component names
  • Any proof-of-concept code, screenshots, or videos
  • Your name and contact info if you would like credit

2. Our service-level commitments

  • Acknowledge receipt within 72 hours
  • Triage and confirm or refute within 7 days
  • Provide a fix:
    • Critical: 30 days
    • High: 60 days
    • Medium: 90 days
    • Low: best effort
  • Credit you in our acknowledgements after the fix ships, if you wish

3. Safe harbor

Security research conducted under this policy is considered:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA), or analogous local laws
  • Exempt from Digital Millennium Copyright Act (DMCA) restrictions on circumvention
  • Exempt from breaching our Terms of Service to the extent strictly necessary to perform the research

We will not pursue legal action against, or take retaliatory action toward, researchers who report vulnerabilities in good faith following this policy and avoid privacy violations, destruction of data, degradation of our service, social engineering, or testing on accounts that do not belong to them.

4. Scope

In scope:

  • FinalDraft web application: finaldraft.dev
  • FinalDraft Chrome extension
  • Public APIs under /api/*
  • OAuth flows for Google (gmail.readonly, gmail.compose, userinfo.email) and Microsoft (Mail.Read)

Out of scope:

  • Self-XSS or anything requiring social engineering of the victim
  • Reports from automated scanners without proof of impact
  • Missing security headers without a demonstrated exploit chain
  • Rate-limiting on non-authenticated endpoints
  • Third-party services (Stripe, Supabase, Vercel, OpenAI, etc.) unrelated to our integration
  • Email spoofing for domains we do not control

5. Compliance

FinalDraft is undergoing CASA Tier 2 assessment as required by Google for applications using the restricted gmail.readonly scope. Our hardening posture as of the latest review:

  • All production dependencies pass npm audit (zero vulnerabilities)
  • Strong HTTP security headers: HSTS preload, restrictive CSP, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy
  • Sentry observability configured with sendDefaultPii: false, session-replay masking, and a defense-in-depth scrubber that redacts emails, bearer tokens, and JWTs before transmission
  • OAuth tokens stored encrypted at the database layer with row-level security; service-role access only from server-side code
  • Production Chrome extension manifest restricts externally_connectable to finaldraft.dev only (no Vercel preview URLs, no localhost in shipped builds)
  • No production secrets present in repository git history

6. Machine-readable disclosure

This policy is also published in machine-readable form at /.well-known/security.txt per RFC 9116.