Last updated: 19 May 2026
ExCards welcomes responsible vulnerability reports from security researchers. This policy describes what is in scope, how to submit a report, what to expect in response, and the safe-harbor terms under which we will not pursue good-faith research.
excards.io, ex.cards, app.excards.io, and the Netlify Functions endpoints under /.netlify/functions/. Any sub-path of these domains is in scope. Card issuer partner systems and Visa/Mastercard network infrastructure are out of scope — report those to the relevant issuer or network operator.
Denial-of-service attacks. Social engineering of staff or customers. Physical attacks. Spam or content-injection in chat threads. Brute-forcing of credentials. Issues in third-party services we use (Cloudflare, Netlify, OpenRouter, Notion) — report those to the third-party operator directly.
Send a report to app.excards.io with the word "security" at the start of the message. Include: a description of the vulnerability, steps to reproduce, the affected URL or endpoint, your assessment of impact, and any proof-of-concept material. Encrypted communication on request — share a PGP key and we will reply on a secure channel.
Clear reproducible steps, the exact request and response showing the issue, the affected user role or auth state, and an impact assessment (data exposed, account takeover possibility, monetary loss potential). Vague reports without reproduction details may be deprioritized.
Acknowledgment within 24 hours of report receipt. Triage and confirmation or rejection within 5 business days. Fix or mitigation timeline communicated within 10 business days for confirmed issues. Critical issues (active exploit, account takeover, mass data exposure) are handled with priority — 24-hour mitigation target.
We will not pursue legal action or notify law enforcement for good-faith security research conducted under this policy. Good faith means: limit testing to your own accounts; do not access, modify, or download other users' data; do not disclose the issue publicly before we have shipped a fix; do not attempt to access internal systems beyond the scope listed above.
We do not currently run a paid bug bounty program. We may offer credit on a public acknowledgments page (opt-in) for valid reports. We will not pay for reports that are already known, automatically generated by scanners, or low-impact misconfigurations.
Default coordinated-disclosure window is 90 days from initial report. Critical vulnerabilities may require longer if the fix involves coordination with the card issuer partner. We will keep the reporter updated and request consent before extending the window.
Reports: app.excards.io, prefix "security". Public acknowledgments (with reporter permission) may be posted on this page in the future.