Default safe scope
The default beta check starts with public, normal-user review: landing page clarity, mobile layout, obvious broken flows, browser console errors, public links, pricing clarity, trust signals, and launch-readiness gaps.
Only with written permission
Login flows, payment tests, admin areas, test accounts, API checks, upload handling, AI-cost abuse scenarios, and deeper security exercises require explicit written scope before we touch them.
What we do not do in the beta
We do not perform denial-of-service testing, credential stuffing, social engineering, destructive exploitation, malware testing, persistence, data exfiltration, or attempts to bypass third-party systems.
Evidence style
Evidence is practical and restrained: screenshots, browser behavior, console/API errors, public headers, visible app states, and notes that help you reproduce and fix the issue.
Fix prompts
Fix prompts are written for coding agents and developers. They are suggestions, not a substitute for engineering judgment, legal review, payment-provider rules, or a full security assessment.
Responsible communication
Outreach is permission-first. We avoid threat-like language and do not pressure founders with vulnerability claims. If we notice a public issue, we ask whether the owner wants the quick note.