Security
Security
MenuLynx handles restaurant menu data and customer-facing pages. If you find a security issue, please tell us before disclosing it publicly.
Latest · v1.0.0Hosted SaaS
Reporting
Email menulynx.app@gmail.com. Include:
- What the issue is and what an attacker can do with it.
- Steps to reproduce — a minimal PoC is ideal.
- Which part of the platform is affected (dashboard, menu pages, API).
Once it's fixed, we'll credit you unless you'd prefer to stay anonymous.
Please do not disclose security issues publicly until we have had a chance to address them.
What's in scope
- The owner dashboard — authentication, authorisation, and any place where untrusted input is processed.
- Public menu pages — XSS, content injection, or anything that could harm visitors.
- The API — authentication bypass, excessive data exposure, or broken access controls.
- Data isolation between venue accounts.
What's not
- Bugs in upstream dependencies (Next.js, the hosting platform, etc.). Report those to the relevant project.
- Issues that require physical access to a logged-in device.
- Rate-limiting and denial-of-service findings without a realistic attack scenario.
Data we protect
- Owner credentials and account data are stored encrypted at rest.
- Menu content (items, photos) is hosted on our infrastructure and access-controlled per venue.
- Customer visitors do not log in and we do not collect personal data from them beyond server logs.
Reach us at menulynx.app@gmail.com.