// LEGAL

Security Policy

Last updated: April 26, 2026

How we secure your account

  • Passwords: never stored in plaintext. Supabase hashes them with bcrypt-style algorithms before they touch our database.
  • Sessions: HttpOnly + Secure + SameSite=Lax cookies. Sessions auto-expire after ~7 days of inactivity.
  • Transport: HTTPS everywhere, with HSTS preloaded. No plaintext fallback.
  • Database isolation: Postgres row-level security policies enforce that every user can only read or write their own rows.
  • Payments: Stripe handles every card. We never see, log, or store card numbers.
  • Email: SPF + DKIM + DMARC on every outgoing message. Reset links expire in 1 hour.
  • Headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Permissions-Policy applied site-wide.
  • Rate limiting: per-IP token buckets on every public write endpoint (favorites, votes, advertiser leads).
  • Identity locking: once you claim a streamer profile, the platform handle is immutable from your side — preventing a hijacked account from being repointed at someone else's channel.

Reporting a vulnerability

Please email security@streamerhubb.com. Include:

  • A clear description of the issue.
  • Steps to reproduce.
  • Any proof-of-concept (without exfiltrating real user data).

We'll acknowledge reports within 3 business days and aim to triage within 7. We don't currently run a paid bug bounty, but we'll publicly credit researchers who help us with their permission.

Safe harbour

Good-faith research is welcome. We won't pursue legal action against researchers who:

  • Test only their own accounts (or accounts they have permission to test).
  • Don't access, modify, or delete other users' data beyond what's necessary to demonstrate the issue.
  • Give us a reasonable window (we suggest 30 days) to remediate before public disclosure.
  • Don't run automated scanners that materially degrade Service performance.

Out of scope

  • Reports that require physical access to a user's device.
  • Findings only reproducible on out-of-date browser / OS versions.
  • Self-XSS that requires the victim to paste payloads into their own DevTools console.
  • Automated scanner output without a working proof-of-concept.
  • Findings that target our sub-processors (Supabase, Stripe, Vercel, Resend) — please report those directly to the vendor.