Responsible Disclosure — DuplicateGuard

Last updated: 2026-04-29

We're a small team and we take security seriously. If you've found a vulnerability in DuplicateGuard or in any service we operate at duplicateguard.com, we want to hear from you.

How to report

Email security@sidebarbookkeeping.com with:

• A description of the issue.
• A way to reproduce it (steps, request payloads, screenshots — whatever makes the next person's job easy).
• The impact you believe it has.
• Your name or handle if you'd like credit.

If you need to encrypt the report, ask in your first email and we'll set up a PGP exchange.

In scope

• Anything served from duplicateguard.com or *.duplicateguard.com.
• The DuplicateGuard application code, including its OAuth flow, webhook handlers, and the duplicate-detection engine.
• Authentication, session, CSRF, and rate-limit logic.

Out of scope

• Findings against third-party services we use (Intuit, Stripe, Resend, Neon, Fly.io, Cloudflare). Report those directly to the provider.
• Self-reports of best-practice deviations that are not exploitable (e.g., "you don't have HSTS preloading" is informational; "your HSTS expires in one second" is in scope).
• Denial-of-service, brute-force, or volumetric attacks. We log them but they aren't useful research.
• Social engineering against employees, customers, or the operator's family.
• Findings that require a compromised end-user device.

What we ask

• Don't access customer data. If a finding lets you read a bookkeeper's clients' QuickBooks data, demonstrate the impact in your own test account, then stop. Don't pull, copy, or retain customer records.
• Don't disrupt service. Test against your own connection or a sandbox. Don't run automated scanners against production at a rate that affects other users.
• Give us time. Don't publicly disclose a finding for 90 days after your initial report, or until the issue is fixed and we've coordinated a disclosure with you, whichever comes first.

What we commit

• We will acknowledge your report within 24 hours.
• We will provide a status update within 72 hours, including a severity estimate and a target fix timeline.
• We will publicly credit you (with your permission) once the fix is shipped, in the disclosure footer of an updated Privacy Policy entry or in a dedicated changelog.
• We currently do not run a formal bug-bounty program with cash payouts. For impactful findings, we may offer a thank-you in the form of a free DuplicateGuard subscription or a discretionary gift card.

Safe harbor

If you operate in good faith and within the scope and rules above, we will not pursue civil or criminal action against you for your research, and we will not refer you to law enforcement. We agree your activity is "authorized access" for the purposes of the Computer Fraud and Abuse Act and analogous state laws. This safe harbor does not apply to actions that exceed the scope of this policy or that violate applicable laws against unrelated parties.

Operator

Sidebar Bookkeeping LLC mike@sidebarbookkeeping.com security@sidebarbookkeeping.com