Security
Security expectations and responsible reporting for DizzyScripts services.
Account security
The support website includes email verification, password hashing, login rate limiting, optional authenticator-app two-factor authentication, recovery codes, and account security notices. Users are responsible for protecting passwords, email inboxes, authenticator apps, and recovery codes.
Payment and delivery security
Paddle webhook signatures are verified when Paddle is used. Direct ZIP packages are stored outside public paths where configured, and download links use expiring tokens, hashed token storage, limits, and activity logs. Envato purchase verification avoids displaying full purchase codes after storage. Codester license verification stores hashed license codes and admin review status instead of exposing full codes repeatedly.
Admin and maintenance security
Maintenance mode can restrict visitors and normal users to a public maintenance page. Admin recovery access uses a private rescue URL and stored hash instead of exposing the full URL in plain text.
Security reports
If you believe you found a security issue, contact support@dizzyscripts.com with the affected URL, steps to reproduce, screenshots or logs where useful, and the expected impact. Do not publicly disclose the issue before it is reviewed.
Customer responsibility
Customers are responsible for maintaining secure hosting, server software, PHP versions, database access, file permissions, administrator passwords, SSL certificates, and backups for their own installations.