Reporting a vulnerability
Email actuallyusefulextensions@gmail.com with SECURITY in the subject. We'd rather hear from you than not.
Policy last updated 17 July 2026.
What to expect from us
- Acknowledgement within 2 business days.
- An initial assessment within 5 business days, telling you whether we've reproduced it and what we intend to do.
- Progress updates until it's resolved, and confirmation when it's fixed.
- Credit for the finding if you'd like it — and none if you'd prefer to stay anonymous.
Safe harbour
If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you for your research, and we'll treat it as authorised conduct. If a third party brings action against you for work that followed this policy, we'll make that authorisation clear.
Good faith means: give us reasonable time to fix the issue before telling anyone else, don't access, modify or delete data that isn't yours, don't degrade the service for other people, and stop as soon as you've confirmed a vulnerability exists.
In scope
- The Time Off Slack app and its behaviour in Slack
- This website and its endpoints
- Anything that could expose one workspace's leave data to another, or let someone act as a user they're not
Out of scope
- Slack's own platform — report those to Slack, not us.
- Railway's infrastructure — report to Railway.
- Denial of service, volumetric or brute-force testing, and anything that degrades the service for real users.
- Social engineering, phishing, or physical attacks against us or our customers.
- Reports generated solely by an automated scanner, with no demonstrated impact.
- Missing hardening headers or best-practice suggestions with no exploitable consequence.
Please don't
Test against a real customer's workspace. If you need a workspace to test in, create your own free one and install the app there — everything is reachable that way.
No bounty
We're honest about this: Time Off does not run a paid bug bounty. We can offer a fast response, a real fix, and public credit — but not money. We'd still very much like to hear from you.
Our security posture, briefly
- No separate login: authentication is entirely Slack's, so your workspace's own SSO governs access.
- All traffic over TLS; data encrypted at rest; Slack tokens stored encrypted and never logged.
- Every query is scoped by Slack team ID, so one workspace's data isn't reachable from another's.
- We store the minimum: no message history, no medical detail, no government identifiers. See the Privacy Policy and sub-processors.