Security Policy

Feed America (501(c)(3), EIN 92-1761881) takes the security of our public food-assistance directory seriously. We welcome vulnerability reports from security researchers and commit to coordinated disclosure within reasonable timelines.

How to report a vulnerability

Email security@feedam.org with:

• Affected URL or endpoint
• Steps to reproduce
• Impact assessment (data exposure, auth bypass, denial of service, etc.)
• Optional: a proof-of-concept (please do not exfiltrate user data)
• Optional: your name + URL/handle for the acknowledgments list

If you prefer encrypted communication, request our PGP key in your initial email and we'll respond with it.

Response expectations

• Acknowledgment: within 3 business days
• Triage decision: within 7 business days
• Fix or mitigation: within 30 days for critical / high; 90 days for medium / low
• Public disclosure: coordinated with the reporter, typically within 90 days of fix unless extended for active exploitation

Scope

The following are in scope:

• feedam.org + all subdomains
• feedam-api.emperormew.workers.dev (Cloudflare Worker)
• HSDS feed at /hsds/v3/
• MCP server at /mcp/v1
• Embed widgets at /embed/*
• Public APIs at /api/*

The following are out of scope:

• Third-party services (PayPal Giving Fund, Cloudflare, etc.) — please report to those vendors directly
• Public records we re-publish (USDA SNAP retailer data, HRSA FQHC data, state WIC clinic data, etc.) — these are federally-public datasets and the data itself is public domain
• Our sister 501(c)(3)s' separate domains and infrastructure (feedingtx.org, feedingfl.org)

Vulnerability classes we're particularly interested in

• SQL injection or other data-store vulnerabilities
• Authentication / authorization bypass on /api/pantry/manage/* (operator dashboard)
• XSS or HTML injection on user-rendered content (resource names, organization names, etc.)
• CSRF on writeable endpoints (/api/feedback, /api/submissions, /api/pantry/*)
• Brand confusion vulnerabilities (e.g. crafted URLs that lead donors to the wrong charity)
• Server-side request forgery, especially via /api/disasters/ingest

Out-of-scope reports

We will not act on the following without supporting evidence of real-world impact:

• Missing security headers on static assets (we already audit headers via npm run audit)
• Self-XSS (requires victim to type code into their own console)
• Email enumeration on operator-claim endpoints — by design
• SPF/DKIM/DMARC on email domains — already audited
• Rate-limit bypasses without amplification
• Outdated dependency reports without a confirmed exploitable path

Safe-harbor commitment

If you make a good-faith effort to comply with this policy, we will not pursue civil or criminal action against you. Specifically, we promise:

• To not pursue or support any legal action against you for activities consistent with this policy
• To work with you to understand and resolve the issue quickly
• To recognize your contribution if you are the first to report and we make a fix
• To NOT share your contact information without your explicit consent

To stay in safe harbor:

• Don't exfiltrate, store, or share user data beyond the minimum needed for the proof-of-concept
• Don't degrade the service for other users (no DDoS testing, no aggressive load testing)
• Don't social-engineer staff or volunteers
• Don't physically access our facilities

Acknowledgments

Security researchers who have reported vulnerabilities responsibly will be listed here (with permission). The list is currently empty — be the first.

Machine-readable

RFC 9116 security.txt: /.well-known/security.txt

Bug bounty

We're a 501(c)(3) operating on platform-infrastructure costs only — we do not currently offer monetary rewards. We do offer:

• Public acknowledgment in the list above (with your permission)
• A "Feed America Security Researcher" letter for your portfolio (signed, on letterhead)
• Free Verified Badge for any of your associated organizations or projects
• Priority consideration for future paid security work as we scale

Questions about this policy

For general security or privacy questions: security@feedam.org. For privacy questions specifically: see our privacy policy.

This policy is published per RFC 9116. Last reviewed: 2026-04-29 · Transparency · Privacy · Disclosures