Responsible Disclosure Policy

1. Introduction

Founder’s note: Thanks for taking the time to review Swipefy. Before writing the first line of production code, I spent years exploring, testing, and breaking things (ethically!) to learn how to build safer software. That mindset is baked into Swipefy—we’ve tried to ship with secure defaults and defense in depth. Still, no system is perfect, which is why your research is invaluable. I fully support responsible testing and want this process to be friendly, transparent, and rewarding for everyone involved.

We deeply appreciate the work of security researchers and the broader security community. If you believe you’ve discovered a vulnerability in any Swipefy product or service, we want to hear from you. This policy explains how to report issues to us, what you can expect in return, and the rules of engagement to keep everyone safe and legal.

2. Scope

In scope (all environments unless otherwise stated):

• Mobile apps: iOS, iPadOS, Android
• Desktop apps: macOS, Windows, Linux
• Web app and website (including any subdomains)
• Public and private APIs
• Backend infrastructure and related services

Third-party services: You may report issues that appear to originate in third-party components or services that impact Swipefy. We will coordinate with the third party as needed and can include you in the communication and credit (if you wish).

Out of scope (currently none): We reserve the right to update this section over time. For now, we have not defined specific exclusions, but please follow the rules of engagement below.

3. Rules of Engagement

By participating, you agree to the following:

1. No automated or aggressive scanning. Avoid high-volume scans, denial of service (DoS), brute force, or resource-exhaustion attacks.
2. Use test accounts responsibly. You may create test accounts solely for research, but you must report the account identifiers (e.g., email/username) to us when you submit the vulnerability.
3. Do not access or modify data you do not own. Never intentionally access, exfiltrate, or delete other users’ data. If you accidentally access personal data, stop immediately and report it to us.
4. Respect availability. Do not disrupt our services or the experiences of our users.
5. Follow coordinated disclosure. Do not publicly disclose details of the vulnerability until we confirm it is remediated—or until we mutually agree on a disclosure timeline.
6. Follow all applicable laws. Operate in good faith and in accordance with local laws. Our safe harbor statement (Section 8) is intended to protect you if you act in good faith within this policy.

4. How to Report

Primary contact: [email protected]

(We do not currently publish a PGP key.)

Please include the following details in your report:

• A detailed description of the vulnerability and its impact.
• Step-by-step reproduction instructions or proof-of-concept code.
• Affected assets (URL, endpoint, platform, version, etc.).
• Any test account credentials you created during testing.
• Your preferred recognition name/handle and whether you’d like to be listed on our Hall of Fame.

We greatly appreciate concise, clear reports; screenshots and short videos help but ensure they do not contain sensitive data from other users.

5. Timelines & Service Level Agreements (SLAs)

• Acknowledgement: within 3 business days of receiving your report.
• Status updates: at least every 2 weeks until resolution.
• Remediation targets (from validation date):
  • Critical: 30 days
  • High: 60 days
  • Medium: 90 days
  • Low/Informational: 180 days

If we anticipate delays, we’ll communicate them proactively and discuss temporary mitigations where appropriate.

6. Rewards & Recognition

We run a discretionary bounty program based on vulnerability severity, impact, and report quality:

• Monetary bounty: Offered for higher-impact findings. Amounts vary by severity and clarity of the report.
• Swag: Commonly awarded, especially for lower-severity or informational reports.
• Lifetime Pro subscription: Granted for every valid, in-scope vulnerability report.
• Hall of Fame: We maintain a public “Thank You” page. Details (name, handle, link) will be discussed with each researcher.

We may request that you sign a simple agreement or NDA prior to bounty payout when specific legal or tax considerations arise.

7. Severity & Triage

Swipefy uses internal severity tiers (inspired by industry standards such as CVSS) to classify and prioritize vulnerabilities. Our security team triages reports internally. We consider:

• Impact on confidentiality, integrity, and availability
• Ease of exploitation
• Potential for user harm or data exposure
• Presence of mitigating controls or preconditions

We may request additional information or clarifications during triage.

8. Safe Harbor & Legal

We commit to not pursuing or initiating legal action against you for security research and vulnerability disclosure activities that:

• Are conducted in good faith
• Fall within the guidelines of this policy
• Avoid privacy violations, service disruptions, and destruction of data

This policy is governed by the laws of The Netherlands. We will apply our safe harbor commitment to the fullest extent permitted by these laws and any other applicable jurisdictions. If legal action is initiated by a third party against you related to actions conducted under this policy, and you have complied with this policy, we will take steps to make it known that your actions were authorized and conducted in good faith.

9. Data Handling & Privacy Expectations

• Access the minimum amount of data necessary to demonstrate the vulnerability.
• If you inadvertently access personal data, stop immediately and inform us.
• Do not store, share, or transmit personal data beyond what is required to report the issue. Securely delete any such data after reporting.

10. Coordinated Disclosure & Embargo

• Please do not publicly disclose the vulnerability or share it with others until we have resolved it or until we mutually agree on a timeline.
• By default, we request an embargo period until remediation is complete. If remediation exceeds generally accepted time frames (e.g., 90 days for critical issues), we will discuss an acceptable disclosure date with you.

11. Policy Changes & Program Termination

Swipefy may update or revoke this policy and the scope of this program at any time. Changes will be noted by updating the “Last updated” date and version number. Your continued participation after an update signifies acceptance of the new terms.

12. Hall of Fame

We are excited to recognize and thank researchers who help make Swipefy safer. If you wish to be listed, we will confirm the details (name, alias, link) with you when the report is closed.

13. Questions?

If anything is unclear or if you need pre-authorization for a particular test scenario, please reach out at [email protected] before proceeding.

Thank you for helping us keep Swipefy secure!