Back to Up n Around

Security Disclosure Policy

Effective date: June 22, 2026

We welcome good-faith reports about security vulnerabilities in Up n Around. This policy explains how researchers can report issues responsibly and what behavior is not authorized.

How to report

Email security reports to support@upnaround.app with the subject line "Security report". Include a clear description, affected URL or app area, reproduction steps, screenshots or logs if helpful, potential impact, and your contact information if you want a response.

Good-faith research rules

• Use only accounts, devices, and data you own or are authorized to test.
• Stop testing and report promptly if you encounter personal data, private messages, credentials, tokens, or non-public systems.
• Do not access, change, delete, download, disclose, or retain other users' data.
• Do not degrade, disrupt, spam, phish, socially engineer, scrape, extort, or attack users, employees, service providers, or infrastructure.
• Do not use malware, destructive payloads, persistence, credential attacks, denial-of-service testing, physical attacks, or attacks against third-party providers.
• Give us a reasonable opportunity to investigate and remediate before public disclosure.

Scope

This policy covers security issues in Up n Around websites, apps, and systems that we own or operate. It does not authorize testing of third-party services, app stores, carriers, payment providers, hosting providers, or vendor systems unless they publish their own permission.

Our response

We may acknowledge reports, ask for more information, investigate, validate impact, remediate, and coordinate disclosure. We do not promise a reward, bounty, specific timeline, public credit, or eligibility for every report. We may decline reports that are low impact, duplicates, not reproducible, out of scope, or inconsistent with this policy.

Safe harbor intent

If you follow this policy and act in good faith, we do not intend to pursue legal action against you for the research activity you report to us. This does not limit our rights if activity harms users, violates law, accesses data without authorization, disrupts the service, or goes beyond this policy.

Security incidents

Our handling of incidents affecting users is also described in our Special Situations, Privacy Policy, and internal incident response procedures.