As this is a web application hosted on cloud infrastructure, we generally only support the latest deployed version.

We take the security of our members' data seriously. If you discover a security vulnerability in the Tenkei Dojo platform (frontend or backend), please follow these steps:

Public issues alert malicious actors to the vulnerability before we can fix it.

Please report vulnerabilities privately via email to: info@tenkeiaikidojo.org

If your report contains highly sensitive data, please encrypt your email using our PGP key:
Download Tenkei Dojo Public Key (Fingerprint: C9DE 39F2 173B 6AC4 052B 3618 BE68 5510 C326 9728)

Please include:

1. Type of issue (e.g., XSS, SQL Injection, Authentication Bypass).
2. Location (e.g., "The Registration API endpoint").
3. Steps to reproduce (A proof-of-concept script or screenshot is required).
4. Impact (What data or access is at risk?).

1. We will acknowledge your report within 72 hours.
2. We will verify the issue and determine its severity.
3. We will deploy a fix to our staging environment for testing.
4. Once verified, we will deploy the fix to production.
5. We will notify you once the fix is live.

Coordinated Disclosure: Please allow us up to 90 days to patch the vulnerability before discussing it publicly or publishing a CVE.

• The web application hosted at https://tenkeiaikidojo.org.
• The API endpoints and authentication flows (Go backend).
• Data privacy leaks, specifically concerning Personally Identifiable Information (PII) such as mobile numbers, emails, and passwords.
• Bypasses of the Cloudflare Turnstile implementation.

• Physical Security: Do not attempt to physically access the server locations, as we do not own them and have no idea where they are.
• Social Engineering: No phishing staffs or members, because we are not fish.
• DDoS: Do not attempt to flood our services (Cloudflare and Google Cloud don't likt it either).
• Third-Party Services: Vulnerabilities in Cloudflare, Supabase, Vercel, or Google Cloud Platform itself should be reported directly to those vendors. For Cloudflare and Supabase specifically, please refer to their respective Vulnerability Disclosure Policies.
• Automated Scanners: Unverified reports generated by automated scanning tools without a valid proof-of-concept are forwarded to the Church of Scientology.

• 404 Not Found on API Endpoints: Our backend is protected by magic and an edge protection layer (CDN/WAF). Direct requests to the backend without going through this layer will intentionally return a 404 Not Found. This is by design and not a routing error.
• Payload Caps: The API intentionally rejects large JSON payloads to prevent eye strain.

If you follow these guidelines and act in good faith to identify and report vulnerabilities, we commit to:

• No voodoo, spells, or hexing against researchers acting in good faith.
• Working with you to understand and resolve the issue quickly.
• Publicly acknowledging your contribution (if you wish) once the issue is resolved.
• Not initiating legal action or law enforcement investigations against you related to your research. Who even has that time and energy?

As Tenkei Aikidojo is a non-profit organization run by volunteers, we currently do not offer financial rewards or bug bounties for vulnerability reports. We deeply appreciate the time and effort of security researchers who help keep our community safe, and we are happy to provide public acknowledgment or recommendations for valid, impactful reports. There may be cookies or tiramisu, baker depending.