SQ
SwingIQ
← Back to Trust & Safety

Vulnerability Disclosure Policy

Last updated: May 2026

SwingIQ is committed to keeping our users' data safe. We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, we ask that you follow this coordinated disclosure process so we can fix it before it affects users.

Please do not open a public GitHub issue for security vulnerabilities. Public disclosure before remediation puts our users at risk.

How to Report

1. Contact Us Privately

Email the details to our security team. Do not open a public GitHub issue, post on social media, or disclose the vulnerability before we have had a chance to investigate and remediate.

2. We Acknowledge Within 48 Hours

We will confirm receipt of your report within 48 hours and provide an initial assessment within 5 business days.

3. We Investigate and Fix

Confirmed vulnerabilities will be remediated within 30 days for critical/high severity, and within 90 days for medium/low severity.

4. We Coordinate Disclosure

We will coordinate public disclosure timing with you. We are happy to credit your discovery in our release notes if you would like to be acknowledged.

Contact

Send your vulnerability report to our security team:

security@swingiq.app

(Replace this placeholder with your real security email before public launch — see SECURITY.md at the repository root.)

What to Include in Your Report

  • A clear description of the vulnerability
  • Step-by-step instructions to reproduce it
  • The potential impact on users
  • Any proof-of-concept code or screenshots (optional but helpful)
  • Your suggested fix or remediation (optional)
  • Whether you would like to be credited publicly

In Scope

  • Authentication bypass or session hijacking
  • Unauthorized access to other users' data (IDOR)
  • SQL injection or database exposure
  • Cross-site scripting (XSS) that affects other users
  • Server-side request forgery (SSRF)
  • Remote code execution
  • Sensitive data exposure (API keys, user PII)
  • Broken access control in API routes

Out of Scope

  • Denial of service (DoS/DDoS) attacks
  • Social engineering or phishing attacks
  • Vulnerabilities in third-party services we use (report directly to them)
  • Issues requiring physical access to a device
  • Automated scanner results without proof of exploitability
  • Rate limiting that does not lead to account compromise
  • Missing security headers with no demonstrated impact
  • Issues in non-current browsers or operating systems

Safe Harbor

We will not pursue legal action against security researchers who:

  • Follow this coordinated disclosure policy
  • Make a good-faith effort to avoid accessing or modifying other users' data
  • Do not perform denial-of-service attacks
  • Do not use findings for personal gain beyond recognition

This safe harbor applies to security research conducted in good faith under this policy. It does not apply to attackers who exploit vulnerabilities for malicious purposes.

Response Timelines

SeverityAcknowledgmentTarget Fix
Critical48 hours7 days
High48 hours30 days
Medium48 hours60 days
Low48 hours90 days
Privacy PolicyTerms of ServiceTrust & Safety