Skip to content

Security policy

We take the security of SABR — web, iOS and Android — seriously. This page describes how to report a vulnerability responsibly and what to expect from us in return.

Reporting a vulnerability

Email support.sabr@gmail.com with “Security report” in the subject line, or use the details in our security.txt file.

Please include:

  • A description of the issue and its impact.
  • Steps to reproduce (proof-of-concept if possible).
  • The affected surface (web URL, mobile version, API endpoint).

What we commit to

  • Acknowledge receipt within 48 hours.
  • First response within 5 business days.
  • Not pursue legal action against good-faith researchers.
  • Credit you in the release notes if you request it.

What we ask

  • Do not disclose the issue publicly before we have a chance to investigate and fix it.
  • Do not access, modify or delete data that isn't yours.
  • Do not run automated scanners at high volume — they trip our WAF and add noise.

Out of scope

The following are known and generally not eligible for report:

  • Missing security headers on subresources served via CDN (Vercel Insights).
  • Rate-limit bypass via distributed IP rotation on our public marketing pages (we rely on Cloudflare in front for that layer).
  • Missing DMARC / SPF on non-transactional domains.

Bounty

We currently don't operate a monetary bounty programme. We do offer acknowledgement in release notes and a warm thank-you for high-impact reports.