Skip to content
CardWho
Download the app

Security

Vulnerability Disclosure Policy

At CardWho, we care about the security of our users, the protection of personal data, and the trustworthiness of our platform. If you believe you have discovered a security vulnerability in our website, mobile applications, API services, admin dashboards, or any other digital asset operated by CardWho, we kindly ask you to report it to us in a responsible and secure manner.

Last updated:

This policy explains how to submit a vulnerability report, which systems are in scope, which tests are not accepted, and what you can expect from us during the process.

How to report a vulnerability

If you believe you have identified a security vulnerability, please send your report to the address below:

[email protected]

Sharing your report as clearly, technically, and reproducibly as possible helps us assess the issue faster.

Please include the following information in your report whenever possible:

  • The affected web page, application screen, API operation, or system component
  • Steps to reproduce the issue
  • The difference between expected behavior and observed behavior
  • The potential impact of the vulnerability
  • Device, operating system, browser, or application version used
  • Screenshots, short videos, log entries, or proof-of-concept if available
  • An explanation of how the vulnerability can be verified without being exploited

Please do not include real user data, unnecessary personal data, third-party account information, or sensitive content in your report. If a minimum amount of information is enough to verify a vulnerability, avoid collecting or transmitting more.

Assets in scope

This policy covers the digital assets directly operated and controlled by CardWho.

Assets in scope generally include:

  • CardWho’s official websites
  • Official subdomains operated by CardWho
  • CardWho’s official iOS and Android mobile applications
  • API services owned by CardWho
  • Admin dashboards owned by CardWho
  • Other official applications, services, and system components operated by CardWho

The scope is limited to systems CardWho directly controls. Systems operated by third-party providers are considered only for vulnerabilities that arise from a CardWho configuration or integration and directly affect CardWho users.

Assets and services out of scope

The following systems and services are directly outside the scope of this policy:

  • Apple App Store
  • Google Play
  • Cloudflare
  • OVH
  • Payment infrastructure providers
  • Email service providers
  • Analytics, notification, error tracking, or marketing tools
  • Third-party websites, APIs, applications, and services not operated by CardWho

Vulnerabilities identified in such third-party services should be reported through the relevant provider’s own security disclosure channels.

However, if you identify a security risk that arises from a CardWho-side configuration of a third-party integration and directly affects CardWho users, you may report it to us.

Accepted types of vulnerabilities

The following types of vulnerabilities may be considered in scope:

  • Unauthorized access
  • Authentication or session management flaws
  • Privilege escalation vulnerabilities
  • Cross-user data access
  • Unauthorized exposure of sensitive data
  • API security vulnerabilities
  • Server-side security vulnerabilities
  • Mobile application security vulnerabilities
  • Business logic flaws
  • Misconfigurations with clearly demonstrable security impact
  • Vulnerabilities causing security impact in payment, subscription, or account flows
  • Issues that affect user privacy or data integrity

For a finding to be considered in scope, it must have a realistic and explainable security impact.

Out-of-scope findings

The following reports are generally considered out of scope:

  • Automated scanner output without demonstrable security impact
  • Missing HTTP headers that are informational only
  • Version disclosures without proven security impact
  • Theoretical issues without demonstrable impact
  • Self-XSS findings with limited security impact that require user interaction
  • Scenarios that require an already-compromised device, browser, operating system, or user account
  • Social engineering
  • Phishing attempts
  • Physical security testing
  • Testing targeting employees, users, business partners, or service providers
  • Denial-of-service attacks
  • Tests that generate excessive traffic
  • Brute force, credential stuffing, or password guessing attacks
  • Spam, bulk email, bulk form submission, or automated registration attempts
  • Downloading, altering, deleting, or disclosing real user data
  • Vulnerabilities in third-party service providers’ own infrastructure
  • Domains, applications, or systems not operated by CardWho
  • Issues that only affect users’ own devices or local environments
  • Best-practice recommendations without clearly demonstrated security impact

CardWho reserves the right to exclude reports without security impact, that cannot be verified, or that fall out of scope.

Rules to follow during security research

While conducting security research, we expect you to follow the rules below:

  • Only test systems within scope.
  • Conduct your tests with minimum impact.
  • Do not attempt to access, download, alter, or delete real user data.
  • Perform the least amount of testing necessary to verify a vulnerability.
  • Avoid tests that could disrupt system operation.
  • Do not perform actions that could cause service outages, performance degradation, or data loss.
  • Do not attempt to access other users’ accounts, data, or devices.
  • Do not use social engineering, phishing, physical attacks, or employee-targeting methods.
  • Allow us reasonable time to assess and remediate before disclosing publicly.
  • Do not share the vulnerability with third parties.
  • Use the information you obtain only to report the vulnerability.

Conduct that violates these rules is not considered good-faith security research under this policy.

Our response process

When we receive a valid security report, we aim to review it as soon as possible.

Our target response times are as follows:

Stage Target time
Confirmation of report receiptWithin 2 business days
Initial technical assessmentWithin 7 calendar days
Priority and impact assessmentWithin 10 calendar days
Fix or mitigation for critical findingsTarget within 14 days
Fix or mitigation for high-priority findingsTarget within 30 days
Medium and low-priority findingsScheduled based on risk, impact, and technical scope

These times are targets. They may vary depending on the complexity of the vulnerability, third-party dependencies, platform approval processes, mobile app store reviews, or technical requirements.

We may request additional information from you when needed. The evaluation of your report depends on the sufficiency of the information provided and the verifiability of the security impact.

Prioritization

We take the following criteria into account when assessing vulnerabilities:

  • Impact on user data
  • Likelihood of unauthorized access
  • Number of affected users or systems
  • Exploitability of the vulnerability
  • Whether the vulnerability can be exploited remotely
  • Impact on business continuity and service reliability
  • Impact on payment, subscription, or account security
  • Existing mitigating controls

CardWho determines the priority and severity level of a reported vulnerability based on its own technical and operational assessment.

Public disclosure

Public disclosure of reported vulnerabilities should occur only with prior written agreement from CardWho.

Please do not share a vulnerability publicly before the following have taken place:

  • The report has reached us
  • The vulnerability has been technically assessed
  • The necessary fix or mitigation has been applied
  • Timing and content of the disclosure have been agreed upon

Where appropriate and upon your request, we may publicly acknowledge your contribution. However, in some cases public disclosure may not take place due to user safety, data privacy, ongoing investigations, or risk of abuse.

Good-faith reports

Under this policy, we look favorably on research that is conducted in good faith, stays within scope, does not harm user data, does not disrupt service continuity, and reports the vulnerability responsibly.

Good-faith security research means:

  • Tests are limited to systems within scope
  • User data is not accessed without authorization
  • If accessed, data is not viewed, copied, stored, or shared
  • No service disruption is caused
  • The vulnerability is not abused
  • The vulnerability is not shared with third parties
  • CardWho is given reasonable time to assess and remediate

This policy does not authorize malicious activity, data breaches, service disruption, harm to third parties, or testing on out-of-scope systems.

CardWho reserves the right to assess each report on its own merits and to retain its legal rights where necessary.

Privacy and data protection

Any personal data you share with us as part of a vulnerability report is processed only to evaluate your report, communicate with you, verify and fix the vulnerability, and keep the necessary records.

Please avoid sharing third-party personal data in your report. If you realize you have accessed personal data while verifying a vulnerability, please stop the access immediately and clearly note this in your report.

CardWho may use information obtained during the security disclosure process to ensure user safety, protect its systems, and meet its legal obligations.

Contact

For vulnerabilities and security-related reports, you can reach us at:

[email protected]

For general support, partnerships, or user requests outside of security reporting, please use CardWho’s official contact form.