FitSwap

Security & Vulnerability Disclosure Policy

A responsible-disclosure policy for security researchers.

17.1 Our Commitment

FitSwap takes the security of user data seriously and welcomes good-faith reports from security researchers. This policy describes what we consider good faith, what's in scope, and what you can expect from us in return.

17.2 Reporting a Vulnerability

Send a report that includes:

Send reports to security@fitswapapp.com.

17.3 Scope

In scope:

Out of scope:

17.4 Safe Harbor

If you make a good-faith effort to comply with this policy — staying within scope, avoiding privacy violations, not destroying data, and not disrupting the Services — FitSwap will not pursue legal action or refer you to law enforcement for that research, and will consider your access authorized for the purpose of applicable computer-access laws. This safe harbor doesn't extend to actions outside this policy's scope.

17.5 What to Expect From Us

17.6 Coordinated Disclosure

Please give us a reasonable opportunity to fix an issue before disclosing it publicly — 90 days from your report, or until we confirm a fix is deployed, whichever comes first. We'll work with you on timing if a fix reasonably needs longer.

17.7 Payment Data

Card details are collected and processed directly by Stripe, our payment processor — FitSwap's servers never receive or store your full card number. Reports involving Stripe's own infrastructure (as opposed to how FitSwap integrates with it) should go to Stripe directly; see §17.3 on third-party services.

17.8 Recognition

FitSwap does not currently run a paid bug bounty program. Researchers who submit a valid report and want to be credited will be named in a thanks/acknowledgments list once the issue is resolved, unless they prefer to remain anonymous.

See also: Privacy Policy, Terms of Service