Security Update

Recently, a discussion surfaced around a potential API key leak involving our website or associated services. We take these concerns seriously and launched an immediate investigation.

✅ No Security Incident

After reviewing the situation, we can confirm there was no security breach. The value identified was a user-specific token—generated for the individual who reported the issue—and not a leak of system-wide credentials or sensitive internal data.

🔍 Context: API-First Origins

When we first built Karting Stats, it was designed as an API-first platform, with the website later added due to the unexpected popularity of the service. In our initial architecture, user-specific API keys were used to authenticate requests directly from client applications. While functional, there are certainly better options available that we’re now implementing.

As we continue to evolve the platform, we’re actively phasing out API keys in favor of more robust authentication mechanisms. This change is motivated by:

• Improved token lifecycle management
• Reduced surface area for client-side exposure
• Better alignment with browser security best practices

📄 New: Vulnerability Disclosure Policy

We’ve also taken this opportunity to publish our Security Vulnerability Disclosure Policy, aligning with RFC 9116. This defines how researchers and users can report potential vulnerabilities in a responsible manner.

🔗 You can find it here:
👉 https://kartingstats.uk/.well-known/security.txt

Looking Ahead

We want to reassure users that there are no known vulnerabilities in the system today. Our team is actively working on enhancements to privacy, security, and performance as we continue to grow.

Thanks for your continued trust and support.

— The Karting Stats Team