Security & Vulnerability Disclosure Policy
A responsible-disclosure policy for security researchers.
17.1 Our Commitment
FitSwap takes the security of user data seriously and welcomes good-faith reports from security researchers. This policy describes what we consider good faith, what's in scope, and what you can expect from us in return.
17.2 Reporting a Vulnerability
Send a report that includes:
- The affected page, endpoint, or feature
- Steps to reproduce the issue, as specific as possible
- What you were able to access or do that you believe you shouldn't have been able to
- Any tools, scripts, or requests used, so we can reproduce it exactly
Send reports to security@fitswapapp.com.
17.3 Scope
In scope:
- The FitSwap web application and its API endpoints
- Authentication, authorization, and access-control issues (e.g., reaching another user's data, or an admin-only page, without authorization)
- Data exposure issues (e.g., personal information visible where it shouldn't be)
Out of scope:
- Denial-of-service testing, load testing, or anything that degrades the Services for other users
- Social engineering or phishing directed at FitSwap staff or users
- Physical access attempts against FitSwap facilities or personnel
- Automated scanning at a volume that itself disrupts service
- Spamming users or listings as a way of demonstrating a vulnerability
- Vulnerabilities in third-party services FitSwap uses but doesn't control
17.4 Safe Harbor
If you make a good-faith effort to comply with this policy — staying within scope, avoiding privacy violations, not destroying data, and not disrupting the Services — FitSwap will not pursue legal action or refer you to law enforcement for that research, and will consider your access authorized for the purpose of applicable computer-access laws. This safe harbor doesn't extend to actions outside this policy's scope.
17.5 What to Expect From Us
- Acknowledgment of your report within 3 business days
- An initial assessment of severity and validity within 10 business days
- Ongoing updates as we work on a fix, and notice once it's deployed
17.6 Coordinated Disclosure
Please give us a reasonable opportunity to fix an issue before disclosing it publicly — 90 days from your report, or until we confirm a fix is deployed, whichever comes first. We'll work with you on timing if a fix reasonably needs longer.
17.7 Payment Data
Card details are collected and processed directly by Stripe, our payment processor — FitSwap's servers never receive or store your full card number. Reports involving Stripe's own infrastructure (as opposed to how FitSwap integrates with it) should go to Stripe directly; see §17.3 on third-party services.
17.8 Recognition
FitSwap does not currently run a paid bug bounty program. Researchers who submit a valid report and want to be credited will be named in a thanks/acknowledgments list once the issue is resolved, unless they prefer to remain anonymous.
See also: Privacy Policy, Terms of Service