Security & Vulnerability Disclosure

Cake Day takes security seriously. If you believe you've found a vulnerability in Cake Day or any part of our infrastructure, we want to hear from you. This page describes how to report it, what we cover, and what you can expect from us in return.

How to report

Email info@cakeday.io with the subject line “Security vulnerability report”. Please include:

• A clear description of the vulnerability and its potential impact.
• Step-by-step reproduction instructions (URLs, request payloads, screenshots, video, etc.).
• The Cake Day surface affected (e.g., cakeday.io, bot.cakeday.io, the Slack bot, etc.).
• Any relevant context (browser, OS, account/workspace identifier if you used a test account).

We'll acknowledge receipt within 2 business days, give you a triage update within 5 business days, and aim to resolve high-severity issues within 30 days of acknowledgment.

Scope

In scope:

• The marketing site and customer dashboard at https://cakeday.io.
• The bot host at https://bot.cakeday.io.
• The Cake Day Slack app— including the OAuth install flow, slash commands (/cakeday), modals, App Home tab, and event handlers. Reports about the way Cake Day uses Slack scopes, posts messages, or stores tokens are explicitly in scope.
• Authentication and session handling (Sign in with Slack, dashboard JWT, handoff tokens).
• Multi-tenant isolation — cross-workspace data access via the dashboard, the bot, or direct database queries.
• Stripe billing integration, webhook handling, and idempotency.
• The OpenRouter LLM integration and prompt-injection vectors that could affect output.

Out of scope:

• Vulnerabilities in third-party services we depend on (Slack, OpenRouter, the upstream LLM providers OpenRouter routes to, Stripe, Supabase, Fly.io, Vercel, Cloudflare). Please report those directly to the relevant provider.
• Issues that require physical access, social engineering of MSW Digital staff, or compromise of a workspace member's personal device or Slack account.
• Reports based on outdated browser/library versions, unless you can demonstrate active exploitation against current versions.
• Denial-of-service attacks against our production infrastructure. Please don't.
• Self-XSS, clickjacking on pages without state-changing actions, missing security headers without a demonstrated exploit, and other low-impact best-practice findings.
• Email spoofing or SPF/DKIM/DMARC findings (we follow industry best practices but don't treat these as bounty-eligible).
• Findings against staging or test environments not at the listed canonical URLs.

Safe harbor

We support good-faith security research. If you act in accordance with this policy — report findings privately to us, don't exfiltrate or destroy data, don't access more workspaces or accounts than necessary to demonstrate the issue, and don't publicly disclose before we've had a chance to fix — we will not pursue legal action against you. We'll work with you to resolve the issue and credit you publicly if you'd like.

If at any point you're unsure whether something is in scope or whether your testing plan is acceptable, email us first. We'd rather have a 5-minute conversation than accidentally point lawyers at you.

Disclosure timeline

We follow a coordinated disclosure model. After a fix ships, we'll work with you on a public disclosure timeline that respects affected customers' time to update if relevant. For most issues, we expect to publish a brief write-up within 90 days of the fix, with credit to the reporter (unless you prefer to remain anonymous).

What we don't offer

Cake Day does not currently run a paid bug bounty program. We may send swag, public credit, or a small thank-you for impactful reports at our discretion. If you're looking specifically for cash bounties, this isn't the right program for you.

Hall of fame

Researchers who've responsibly disclosed vulnerabilities to us:

(None yet — you could be first.)

Questions

For anything not covered here, email info@cakeday.io.