We Value Your Privacy

We use cookies to enhance your experience, analyze site usage, and personalize content. By clicking "Accept All", you consent to our use of cookies. You can customize your preferences or learn more in our Cookie Policy and Privacy Policy.

Security Disclosure Policy

Last Updated: January 1, 2025

Our Commitment to Security

UPDO takes the security of our users' data seriously. We appreciate the security research community's efforts in responsibly disclosing vulnerabilities.

Responsible Disclosure

If you discover a security vulnerability, please report it to us privately. We ask that you:

  • Do not publicly disclose the vulnerability before we've had a chance to address it
  • Provide detailed information to help us reproduce the issue
  • Give us reasonable time to fix the vulnerability
  • Do not exploit the vulnerability beyond what's necessary to demonstrate it

How to Report

Email: [email protected]

PGP Key: Available upon request

Please include in your report:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)
  • Your contact information

Our Response Process

  1. We'll acknowledge your report within 48 hours
  2. We'll investigate and validate the vulnerability
  3. We'll work on a fix and keep you updated
  4. We'll deploy the fix and notify you
  5. We'll publicly acknowledge your contribution (if you wish)

Scope

The following are in scope for security research:

  • updo.app and all subdomains
  • Mobile applications
  • API endpoints

Out of scope:

  • Social engineering attacks
  • Physical attacks
  • Denial of service attacks
  • Third-party services we use

Safe Harbor

We will not pursue legal action against researchers who:

  • Follow this responsible disclosure policy
  • Act in good faith
  • Do not intentionally harm users or our systems
  • Do not access or modify user data beyond what's necessary

Recognition

We maintain a Hall of Fame to recognize security researchers who help us improve our security. With your permission, we'll list:

  • Your name or handle
  • Date of disclosure
  • Brief description of the vulnerability

Security Measures

We implement industry-standard security practices:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Regular security audits and penetration testing
  • Secure development practices
  • Employee security training
  • Incident response procedures