FForge Engine← Home

Security

Last updated May 2026

We take the security of Forge Engine and the data our users entrust to us seriously. If you believe you have found a vulnerability, we want to hear from you. This page explains how to report it and what to expect from us.

Reporting a vulnerability

Please email security@forgeengine.iowith a clear description of the issue, the steps to reproduce it, and the impact you observed. If you have a proof-of-concept, attach it directly — do not host it on a third-party paste site that could be deleted.

We accept reports in English. If sensitive material is involved you may encrypt the message; reach out first and we will share a PGP key.

Our commitments

  • Acknowledgement within 5 business days of receipt, with an initial triage assessment.
  • Status updates at least every 14 days while we work on a fix.
  • Public credit on this page once the issue is resolved, if you would like it (we will ask).
  • No legal action against researchers acting in good faith within the scope below.

Scope

In scope:

  • forgeengine.io and its subdomains.
  • The Forge Engine API.
  • Forge-operated infrastructure (object storage buckets, queue workers, transactional email).

Out of scope:

  • Third-party services we integrate with (Supabase, Cloudflare, Resend, OpenAI, Stripe, RunPod). Please report those directly to the provider; we will assist if you need a contact.
  • Findings that require physical access, social engineering of staff, or a malicious browser extension installed on the victim.
  • Volumetric denial-of-service tests. We cannot consent to these — they affect other users and our infrastructure providers.
  • Self-XSS that requires the victim to paste attacker-controlled JavaScript into their own browser console.
  • Best-practice missing-header reports without a demonstrated impact.

Safe-harbour

If you make a good-faith effort to comply with this policy — reporting promptly, avoiding privacy violations, destruction of data, or interruption of service — we will not pursue legal action and we will treat your research as authorised.

What we will not pay (yet)

Forge Engine does not currently run a paid bug-bounty programme. We absolutely will publicly credit valid reports, prioritise fixes, and review our scope as the product grows. If you are after a paid programme we recommend coming back in a few months.

Other security questions

For non-vulnerability security questions (compliance, data processing, sub-processors), email security@forgeengine.io. A list of the third-party services we use to deliver Forge Engine and the data they process is published on our subprocessors page. Forge Engine is operated by Nimbus Compute Ltd, registered in the United Kingdom.