Security

Security at Joisk

We take the safety of players and creators seriously. Here's how we protect your account and your data — and how to tell us if you find something wrong.

Our security posture

Sandboxed user builds

Games and apps built on Joisk run sandboxed and are served from a separate origin. They reach the network only through a vetted postMessage host bridge — they can't read your session or touch other users' data directly.

Secret scanning at publish

Before a build goes live we scan its source for leaked API keys, tokens, and other secrets, so credentials don't ship inside a published project.

Server-authoritative money & credits

Prices, credit balances, payouts, and earnings are always computed and enforced on our servers. We never trust amounts sent from the browser.

Joisk is the Merchant of Record

Payments run through Stripe with Joisk as the Merchant of Record. We don't store raw card numbers — card data is handled by Stripe's PCI-compliant systems.

Account-gated access

Play and build access is gated behind authenticated accounts, with server-side session checks rather than client-side trust.

Least-privilege data rules

Firestore and Storage rules deny by default; sensitive collections (reports, payouts, security reports) are reachable only through our server using the Admin SDK.

Responsible disclosure policy

If you believe you've found a security vulnerability in Joisk, we want to hear about it. We welcome reports from security researchers and will work with you to understand and resolve the issue quickly.

In scope

  • The Joisk website and web app at joisk.com.
  • Our APIs, authentication, billing, and credits systems.
  • The AI builder, publishing pipeline, and the game host bridge.
  • The sandbox isolation around user-built games and apps.

Out of scope

  • Content inside user-generated builds (use abuse reporting for harmful content).
  • Volumetric denial-of-service, spam, or social-engineering of our staff or users.
  • Reports from automated scanners with no demonstrated, real-world impact.
  • Issues in third-party services (Stripe, Firebase, etc.) — report those to the vendor.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, will not pursue or support legal action against you, and will work with you to understand and resolve the issue. Please avoid privacy violations, data destruction, and service degradation. Only access, modify, or store the minimum data necessary to demonstrate an issue, and never access or exfiltrate other users' data.

How to report

Email security@joisk.com or use the form below. Our machine-readable policy is published at /.well-known/security.txt (RFC 9116). Please include clear reproduction steps, the affected URLs, and the impact you observed.

What to expect

  • We aim to acknowledge new reports within 3 business days.
  • We'll keep you updated as we triage and remediate, and let you know when a fix ships.
  • We don't run a paid bug-bounty program yet, but we're grateful for responsible disclosure and are happy to credit you (with your permission) once an issue is resolved.

Report a vulnerability

Send us the details below. You don't need an account — leave a contact if you'd like us to follow up.