SpendCaddie Logo
SpendCaddie
LoginGet Started

Vulnerability Disclosure Policy

Version: 2.0Effective Date: May 21, 2026Last Updated: May 21, 2026

SpendCaddie values good-faith security research. This Vulnerability Disclosure Policy explains how to report potential security vulnerabilities responsibly.

This policy does not create a bug bounty, service-level agreement, employment relationship, contractor relationship, or permission to access user data.

1. Reporting contact

Send vulnerability reports to: support@spendcaddie.com

Use the subject line: "Security Vulnerability Report"

Include:

  • a clear description of the issue;
  • affected URL, endpoint, screen, or feature;
  • steps to reproduce;
  • potential impact;
  • screenshots or proof-of-concept details that do not expose real user data;
  • your contact information; and
  • whether you agree to keep the report confidential while we investigate.

2. Scope

In-scope systems are limited to SpendCaddie-controlled public systems that are currently available to users, such as:

  • spendcaddie.com and SpendCaddie-controlled web application surfaces;
  • SpendCaddie-controlled API routes;
  • SpendCaddie-controlled account, authentication, debt-planning, Plaid integration, billing-entitlement, and privacy flows; and
  • the public iOS app if released.

Android/Google Play systems are not public launch scope unless SpendCaddie separately announces Android availability.

3. Out of scope

The following are out of scope:

  • third-party systems not controlled by SpendCaddie, including Plaid, Stripe, Apple, RevenueCat, Supabase, Vercel, Anthropic, Upstash, Resend, Expo, financial institutions, and app stores;
  • provider-side vulnerabilities unrelated to SpendCaddie's implementation;
  • social engineering;
  • phishing;
  • spam;
  • physical attacks;
  • denial-of-service or resource-exhaustion testing;
  • attacks against users, employees, contractors, vendors, or support channels;
  • attempts to access, modify, retain, exfiltrate, or disclose real user data;
  • destructive testing;
  • malware, persistence, backdoors, or unauthorized code execution beyond safe proof-of-concept limits;
  • testing that violates law or third-party terms;
  • reports based only on missing security headers without demonstrated impact;
  • automated scanner output without validation;
  • clickjacking reports on pages that do not perform sensitive actions;
  • rate-limit reports without demonstrated risk; and
  • vulnerabilities requiring a compromised device, account, browser extension, or operating system unless there is a SpendCaddie-specific exploit path.

4. Good-faith testing rules

To qualify for good-faith treatment under this policy, you must:

  • test only accounts you own or are authorized to use;
  • avoid accessing or exposing real user data;
  • minimize data access;
  • stop testing immediately if you encounter personal, financial, or sensitive data;
  • not retain, copy, share, or disclose user data;
  • not degrade, disrupt, or damage the Service;
  • not bypass payment or entitlement systems except in a harmless proof-of-concept using your own account;
  • not perform denial-of-service testing;
  • not test third-party provider systems;
  • comply with applicable law; and
  • give SpendCaddie a reasonable opportunity to investigate before public disclosure.

5. Our response

We aim to acknowledge and triage good-faith reports within a reasonable time. Any acknowledgement, triage, remediation, or disclosure timelines are operational targets, not service-level commitments or guarantees.

We may contact you for additional information. We may choose not to respond to reports that are out of scope, duplicative, low quality, abusive, automated without validation, or unrelated to SpendCaddie-controlled systems.

6. Safe harbor statement

If you comply with this policy, act in good faith, avoid privacy harm, and comply with applicable law, SpendCaddie does not intend to initiate legal action against you for the research activity covered by this policy. This statement does not bind third parties and does not authorize conduct that violates law or third-party terms.

7. No bounty

SpendCaddie does not currently offer a paid bug bounty. Submitting a report does not entitle you to compensation, employment, public credit, or any other reward.

8. Confidentiality and disclosure

Do not publicly disclose a vulnerability until we have had a reasonable opportunity to investigate and address it. Coordinate disclosure timing with us where possible. Do not disclose personal data, financial data, secrets, tokens, screenshots containing user data, or exploit details that would create risk.

9. Emergency account issues

If you believe your own account has been compromised, contact support@spendcaddie.com and take steps to secure your email account, devices, financial accounts, and credentials.