Security & vulnerability disclosure
Last updated: 20 June 2026
We take the security of EmailBridge seriously. This page documents how to report a security vulnerability in the services we operate, and how we triage, remediate, and disclose issues. If you believe you have found a vulnerability, please tell us — we welcome good-faith reports.
In this policy, “EmailBridge”, “we”, “us” and “our” refer to the operator of EmailBridge, run as a sole proprietorship.
Contents
1. Scope
This process covers the services we host and operate:
- The EmailBridge bridge — our Cloudflare Worker API that receives your exported image slices, optimizes them, and builds your template in Klaviyo or Omnisend on your instruction.
- The EmailBridge website — this site, hosted on Cloudflare Pages.
- The EmailBridge Figma plugin client — the plugin code that runs inside Figma.
Vulnerabilities in third-party platforms (Figma, Klaviyo, Omnisend, Cloudflare) are out of our scope — please report those to the respective vendor.
2. How to report a vulnerability
Email Geek@inboxengage.com with a clear description. To help us triage quickly, please include:
- The type of issue and the affected endpoint, URL, or plugin area.
- Step-by-step instructions to reproduce it, and a proof-of-concept where possible.
- The impact you believe it has, and any suggested remediation.
- Your name or handle if you would like to be credited.
Please report privately and give us a reasonable opportunity to fix the issue before any public disclosure. Do not open a public issue or post details publicly until we have confirmed a fix.
3. Our response process
When we receive a report, we follow these steps:
| Stage | What we do / target |
|---|---|
| Acknowledge | We confirm receipt within 3 business days. |
| Triage | We validate and assign a severity (critical / high / medium / low) based on impact and exploitability, typically within 7 business days. |
| Remediate | We prioritize by severity: critical and high issues are patched as quickly as we reasonably can; medium and low issues are scheduled into a normal release. |
| Update | We keep you informed of progress and let you know when a fix is deployed. |
| Disclose | After a fix is live, we are happy to credit you and, where appropriate, coordinate public disclosure with you. |
As a small team, our timelines are best-effort, but we commit to communicating clearly throughout.
4. Safe harbor
We will not pursue or support legal action against anyone who, in good faith and in line with this policy, discovers and reports a vulnerability. To stay within safe harbor, you must:
- Only test against your own EmailBridge account, your own API keys, and data you own — never another user’s.
- Avoid privacy violations, data destruction, and any degradation of the Service (for example, no denial-of-service or large-scale automated testing).
- Not access, modify, or exfiltrate data that is not yours, and stop as soon as you’ve demonstrated a vulnerability.
- Give us a reasonable time to remediate before disclosing publicly.
5. Out of scope
The following are generally not eligible:
- Findings in third-party services (Figma, Klaviyo, Omnisend, Cloudflare) — report those to the vendor.
- Denial-of-service, volumetric, or brute-force attacks.
- Social engineering, phishing, or physical attacks.
- Reports of missing best-practice headers or rate limits with no demonstrated security impact.
- The plugin’s shared client token, which is a documented public speed-bump and not a per-user secret.
6. How we secure the service
Some of the controls already in place:
- Encryption in transit — all connections use HTTPS.
- No long-lived platform secrets — your Klaviyo or Omnisend API key is used only to complete the build you request and is not retained by the bridge after the request finishes.
- Access control — the bridge is token-gated and per-IP rate-limited, with request size limits to bound abuse.
- Least privilege — the plugin only ever requests the minimum platform scopes needed to upload images and build a template; it never asks for contacts, lists, campaigns, or send permissions.
- Input handling — links and content carried into your template are validated and escaped before they are written.
For how we handle your data more broadly, see our Privacy Policy.
7. Recognition
We do not currently run a paid bug-bounty program. We are grateful for responsible disclosure and are happy to publicly credit researchers who report valid issues, if they wish.
Contact for security matters: Geek@inboxengage.com.