Security policy
We take the security of SABR — web, iOS and Android — seriously. This page describes how to report a vulnerability responsibly and what to expect from us in return.
Reporting a vulnerability
Email support.sabr@gmail.com with “Security report” in the subject line, or use the details in our security.txt file.
Please include:
- A description of the issue and its impact.
- Steps to reproduce (proof-of-concept if possible).
- The affected surface (web URL, mobile version, API endpoint).
What we commit to
- Acknowledge receipt within 48 hours.
- First response within 5 business days.
- Not pursue legal action against good-faith researchers.
- Credit you in the release notes if you request it.
What we ask
- Do not disclose the issue publicly before we have a chance to investigate and fix it.
- Do not access, modify or delete data that isn't yours.
- Do not run automated scanners at high volume — they trip our WAF and add noise.
Out of scope
The following are known and generally not eligible for report:
- Missing security headers on subresources served via CDN (Vercel Insights).
- Rate-limit bypass via distributed IP rotation on our public marketing pages (we rely on Cloudflare in front for that layer).
- Missing DMARC / SPF on non-transactional domains.
Bounty
We currently don't operate a monetary bounty programme. We do offer acknowledgement in release notes and a warm thank-you for high-impact reports.