Security.

Found a vulnerability?

Please email security@flatbooks.io with:

• Description of the issue
• Steps to reproduce
• Affected route, parameter, or endpoint
• Suggested severity

We acknowledge reports within 2 business days. Critical vulnerabilities (auth bypass, IDOR, RCE, secret leak) trigger same-day patches. We don't run a paid bounty program in v0; we credit researchers in our changelog with permission.

What we've done

• API routes are auth-gated when Clerk is configured (see src/lib/auth-guard.ts)
• Supabase row-level security enabled on transactions and llcs tables
• HTTPS-only in production (HSTS preload pending)
• No bank credentials touch our servers — Plaid OAuth (v0.1+) and CSV upload only
• Sentry error monitoring with PII allowlist; no transaction descriptions or amounts logged

Out of scope

Self-XSS, social-engineering, denial-of-service, and findings against third-party providers (Clerk, Supabase, Plaid, Anthropic, Paddle) — please report those to the upstream provider directly.

Machine-readable

See /.well-known/security.txt for the RFC 9116 disclosure record.