Security
Security at Joisk
We take the safety of players and creators seriously. Here's how we protect your account and your data — and how to tell us if you find something wrong.
Our security posture
Games and apps built on Joisk run sandboxed and are served from a separate origin. They reach the network only through a vetted postMessage host bridge — they can't read your session or touch other users' data directly.
Before a build goes live we scan its source for leaked API keys, tokens, and other secrets, so credentials don't ship inside a published project.
Prices, credit balances, payouts, and earnings are always computed and enforced on our servers. We never trust amounts sent from the browser.
Payments run through Stripe with Joisk as the Merchant of Record. We don't store raw card numbers — card data is handled by Stripe's PCI-compliant systems.
Play and build access is gated behind authenticated accounts, with server-side session checks rather than client-side trust.
Firestore and Storage rules deny by default; sensitive collections (reports, payouts, security reports) are reachable only through our server using the Admin SDK.
Responsible disclosure policy
If you believe you've found a security vulnerability in Joisk, we want to hear about it. We welcome reports from security researchers and will work with you to understand and resolve the issue quickly.
In scope
- The Joisk website and web app at joisk.com.
- Our APIs, authentication, billing, and credits systems.
- The AI builder, publishing pipeline, and the game host bridge.
- The sandbox isolation around user-built games and apps.
Out of scope
- Content inside user-generated builds (use abuse reporting for harmful content).
- Volumetric denial-of-service, spam, or social-engineering of our staff or users.
- Reports from automated scanners with no demonstrated, real-world impact.
- Issues in third-party services (Stripe, Firebase, etc.) — report those to the vendor.
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, will not pursue or support legal action against you, and will work with you to understand and resolve the issue. Please avoid privacy violations, data destruction, and service degradation. Only access, modify, or store the minimum data necessary to demonstrate an issue, and never access or exfiltrate other users' data.
How to report
Email security@joisk.com or use the form below. Our machine-readable policy is published at /.well-known/security.txt (RFC 9116). Please include clear reproduction steps, the affected URLs, and the impact you observed.
What to expect
- We aim to acknowledge new reports within 3 business days.
- We'll keep you updated as we triage and remediate, and let you know when a fix ships.
- We don't run a paid bug-bounty program yet, but we're grateful for responsible disclosure and are happy to credit you (with your permission) once an issue is resolved.
Report a vulnerability
Send us the details below. You don't need an account — leave a contact if you'd like us to follow up.