marca.dev/security
Security
Marca is operated by CAIO LLC. We take the security of the Platform, the Marca Script, and Subscriber data seriously. If you believe you've found a vulnerability, we want to hear about it.
Reporting a vulnerability
Email [email protected] with:
- A description of the vulnerability and the affected endpoint or component
- Reproduction steps — ideally a minimal proof-of-concept
- The potential impact and any mitigation suggestions you have
- Your name or handle if you'd like attribution in the fix notes
We'll acknowledge your report within 5 business days, work on a fix, and let you know when it's been resolved. We don't currently run a paid bounty program, but we will publicly credit researchers who follow this policy (with your permission).
Safe harbor
We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, destruction of data, and disruption of service
- Only interact with accounts they own or have explicit permission from the account holder to access
- Do not exfiltrate data beyond what is necessary to demonstrate the vulnerability
- Give us a reasonable opportunity to remediate before any public disclosure
- Do not violate any applicable law
If in doubt about whether an action is in scope, please email us first and we'll discuss.
In scope
marca.dev,www.marca.dev,app.marca.dev- The Marca Script served from our CDN
- Our API endpoints under
/api/v1/ - Authentication, session management, and access control
- Workspace isolation (cross-Workspace data access)
- Injection vulnerabilities (XSS, SQLi, command injection, SSRF, etc.)
- Sensitive data exposure
Out of scope
- Reports from automated scanners without a working proof-of-concept
- Denial-of-service, volumetric attacks, or load testing of production
- Social engineering of CAIO employees or contractors
- Physical attacks on CAIO facilities or staff
- Issues in third-party services we sub-process to (please report to that vendor)
- Missing security headers without a demonstrable exploit
- Self-XSS, clickjacking on pages without sensitive actions, missing rate limits without an exploit
- Outdated TLS configurations on non-production endpoints
- Email-spoofing reports against domains we don't send mail from
Coordinated disclosure
Please give us at least 90 days from the date of your initial report before publicly disclosing a vulnerability. We will work with you to confirm the timeline once we've validated the report. If the issue is being actively exploited or presents urgent risk, we may move faster.
Contact
Security reports: [email protected]
General contact: [email protected]