Vulnerability Disclosure
How to responsibly report a vulnerability.
We welcome reports from the security community. This page describes how to report a vulnerability and what to expect from us.
Last updated: 2026-06-28
This page is maintained by Blanca's IT Professional SL to answer common security, privacy and trust questions about Blanca's Builder.
This page is app-owned editable content. It is not an independent audit or certification.
Security is a shared responsibility between Blanca's IT Professional SL, the platforms we run on (Cloudflare, Supabase) and you as the account owner.
Scope
In scope: the production app at https://blancasbuilder.com, the API endpoints under /api, the auth flow and the public marketing pages. Out of scope: third-party services (Cloudflare, Supabase, AI providers) — please report those to their respective programs.
How to report
Send a detailed report to info@blancas-it.com with the subject line 'Security report'. Include steps to reproduce, the impact and any supporting screenshots or logs.
Safe harbour
We will not pursue legal action against researchers who act in good faith, do not access data beyond what is needed to demonstrate the issue, do not degrade the service for other users and give us a reasonable period to fix the issue before public disclosure.
Response timeline
We acknowledge new reports within one business day, triage within five business days and aim to fix high-severity issues within 30 days. We will keep you updated on progress.
Out of scope
Reports based purely on theoretical risks, missing best-practice headers without a concrete exploit, social engineering of our staff or denial-of-service tests are out of scope.
Canonical: https://blancasbuilder.com/trust/vulnerability-disclosure · Blanca's Builder