SpendCaddie Logo
SpendCaddie
LoginGet Started

Vulnerability Disclosure Policy

Last Updated: January 11, 2026

1. Introduction

SpendCaddie takes the security of our systems and user data seriously. We appreciate the security research community's efforts in helping us maintain a secure platform. This policy outlines how to responsibly report security vulnerabilities.

2. Scope

2.1 In Scope

  • SpendCaddie web application (app.spendcaddie.com)
  • SpendCaddie API (api.spendcaddie.com)
  • SpendCaddie mobile applications (iOS and Android)
  • Authentication and authorization systems
  • Data storage and transmission

2.2 Out of Scope

  • Third-party services we integrate with (report to them directly)
  • Social engineering attacks
  • Physical attacks
  • Denial of service (DoS/DDoS) attacks
  • Spam or email bombing

3. Qualifying Vulnerabilities

We are interested in vulnerabilities such as:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Authentication bypass
  • Authorization flaws (IDOR)
  • Remote code execution
  • Server-side request forgery (SSRF)
  • Sensitive data exposure
  • Security misconfigurations

4. Reporting Guidelines

4.1 How to Report

Please report vulnerabilities to: security@spendcaddie.com

Include in your report:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept code or screenshots
  • Your contact information

4.2 Encryption

For sensitive reports, please use our PGP key (available on our security page) to encrypt your communication.

5. Our Commitment

When you report a vulnerability in good faith, we commit to:

  • Acknowledge receipt within 2 business days
  • Provide an initial assessment within 7 business days
  • Keep you informed of our progress
  • Work to remediate confirmed vulnerabilities promptly
  • Credit you publicly (if desired) once the issue is resolved
  • Not take legal action against good-faith security research

6. Safe Harbor

If you conduct research in accordance with this policy, we will:

  • Consider your research authorized
  • Not pursue legal action against you
  • Work with you to understand and resolve the issue

This safe harbor applies only to research conducted in compliance with this policy.

7. Rules of Engagement

When testing, please:

  • Only test against accounts you own or have permission to test
  • Avoid accessing or modifying data belonging to other users
  • Stop testing if you encounter sensitive data and report immediately
  • Do not publicly disclose vulnerabilities before they are fixed
  • Do not use automated scanning tools excessively
  • Do not attempt social engineering or phishing

8. Recognition

We recognize valid security researchers on our Security Hall of Fame (with permission). While we don't currently offer monetary rewards, we may provide:

  • Public acknowledgment
  • SpendCaddie swag
  • Premium subscription credits

9. Response Timeline

SeverityTarget Resolution Time
Critical24-48 hours
High7 days
Medium30 days
Low90 days

10. Governing Law

This policy is governed by the laws of the State of Colorado.

11. Contact

For security vulnerability reports: security@spendcaddie.com

For general security questions: security@spendcaddie.com (Subject: "Security Question")

Mailing Address: Bobby Built Ventures LLC (DBA SpendCaddie), 1500 N Grant St, Ste R, Denver, CO 80203