Security acknowledgments.
We thank every researcher who takes the time to find and responsibly disclose a vulnerability. This page recognizes those who've helped make Reservory safer.
Hall of thanks
No researchers are listed yet — Reservory launched recently and our responsible disclosure program is open now. If you find a valid vulnerability and report it in good faith, we’ll add your name here (or note your preference to remain anonymous) once the issue is resolved.
How to get listed
Submit a report through our program as described on the Security Policy page. Once we confirm the issue, triage it, and ship a fix, we’ll reach out to ask how you’d like to be credited. You can choose:
- Your name and a link of your choice
- Handle or alias only
- Anonymous — no listing at all
What we’re looking for
High-impact findings in our threat model are particularly valued: tenant isolation bypass, authentication or authorization bypass, billing evasion, SSRF through webhook URLs, and booking concurrency exploits. See the full scope and bounty table on the Security Policy page.
Contact
Email security@reservory.com or submit through our private HackerOne program (invite available on request). Our PGP key is at /.well-known/pgp-key.txt for encrypted submissions.
We acknowledge every valid report within 2 business days and aim to triage within 5. Thank you for helping keep Reservory operators and their guests safe.