Time Off
Security

Reporting a vulnerability

Email actuallyusefulextensions@gmail.com with SECURITY in the subject. We'd rather hear from you than not.

Policy last updated 17 July 2026.

What to expect from us

Safe harbour

If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you for your research, and we'll treat it as authorised conduct. If a third party brings action against you for work that followed this policy, we'll make that authorisation clear.

Good faith means: give us reasonable time to fix the issue before telling anyone else, don't access, modify or delete data that isn't yours, don't degrade the service for other people, and stop as soon as you've confirmed a vulnerability exists.

In scope

Out of scope

Please don't

Test against a real customer's workspace. If you need a workspace to test in, create your own free one and install the app there — everything is reachable that way.

No bounty

We're honest about this: Time Off does not run a paid bug bounty. We can offer a fast response, a real fix, and public credit — but not money. We'd still very much like to hear from you.

Our security posture, briefly