Security Notice
Account safety guidance and responsible reporting for security vulnerabilities.
Security Notice
Protect your account
Use a unique password, enable passkeys when available, protect your email account, and never share one-time codes. Review the domain before entering credentials. Official EnderHaven pages use enderhaven.com.
Protect API and payment credentials
Client secrets, server keys, SMTP passwords, webhook secrets, and private tokens must never be posted in project files, screenshots, public repositories, support chats, or comments. Rotate any secret that may have been exposed.
Responsible disclosure
Send vulnerability reports to security@enderhaven.com with:
- A clear description of the issue
- Affected URL or feature
- Reproduction steps
- Expected and actual behavior
- Potential impact
- Screenshots or a minimal proof of concept when safe
Do not access data that is not yours, disrupt production services, perform denial-of-service testing, send spam, or publicly disclose an unresolved vulnerability.
Suspicious project files
Do not run a suspicious download on a production server. Preserve the project URL and version information, then submit a report through the website. EnderHaven may temporarily disable access while a file is reviewed.
No guaranteed bounty
Submitting a report does not create a right to payment. Any recognition or reward is decided separately by EnderHaven.