Security

Reporting a Vulnerability

If you have discovered a security vulnerability in localskills.sh, please email support@ezgamehost.com with the subject line “Security Report.” We will acknowledge your report within five (5) business days.

Scope

In scope: localskills.sh and its public APIs.

Out of scope: third-party services we depend on (Cloudflare, Google OAuth), social engineering of EZ Game Host staff, physical attacks, volumetric denial-of-service testing, and findings on staging or preview deployments.

Safe Harbor

We will not pursue legal action against researchers who act in good faith, comply with this policy, avoid privacy violations and service disruption, and give us reasonable time to remediate before public disclosure.

What to Include in Your Report

• The affected URL or endpoint
• Step-by-step reproduction instructions
• Your assessment of impact
• Suggested remediation, if any
• Your contact information

Coordinated Disclosure

We request approximately ninety (90) days from initial report before public disclosure to allow time for a fix. We’re happy to coordinate timing with you.

See also our machine-readable security contact at /.well-known/security.txt.