Vulnerability Disclosure Policy
Last updated: March 6, 2026
1. Introduction
SweepFeed values the security community and the important role researchers play in keeping our platform and users safe. We encourage responsible disclosure of security vulnerabilities and commit to working with researchers to address valid findings promptly.
2. Scope
The following assets are in scope for security research:
- sweepfeed.com — Main website and all subdomains
- SweepFeed mobile applications — iOS and Android apps available on the App Store and Google Play
- SweepFeed API — All API endpoints under sweepfeed.com/api/*
The following are out of scope:
- Third-party services and integrations (Google, Firebase, Stripe, Vercel, etc.)
- Denial of service (DoS/DDoS) attacks
- Social engineering or phishing attacks against SweepFeed employees or users
- Physical security of SweepFeed offices or data centers
- Vulnerabilities in third-party sweepstakes sponsor websites
- Reports based solely on automated scan output without a demonstrated exploit
3. Reporting a Vulnerability
If you believe you have discovered a security vulnerability, please report it to us as soon as possible:
- Email: support@sweepfeed.com
- Subject Line: "Security Vulnerability Report — [Brief Description]"
Please include in your report:
- A description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Any proof-of-concept code, screenshots, or video recordings
- The affected URL(s), API endpoint(s), or app screen(s)
- Your name or handle (for credit, if desired)
4. Our Commitments
When you report a vulnerability in good faith, SweepFeed commits to:
- Acknowledgment: We will acknowledge receipt of your report within 3 business days
- Assessment: We will assess the vulnerability and provide an initial severity determination within 10 business days
- Remediation: Critical vulnerabilities will be addressed within 30 days. Lower-severity issues will be prioritized according to risk
- Communication: We will keep you informed of our progress and notify you when the issue has been resolved
- Credit: With your permission, we will publicly acknowledge your contribution in our security acknowledgments
5. Safe Harbor
SweepFeed will not take legal action against researchers who discover and report security vulnerabilities in good faith, provided they:
- Do not access, modify, or delete other users' data
- Do not disrupt or degrade the availability of the Service
- Do not publicly disclose the vulnerability before SweepFeed has had a reasonable opportunity to address it (minimum 90 days from report, or upon mutual agreement)
- Do not exploit any vulnerability beyond the minimum necessary to demonstrate it
- Do not use automated vulnerability scanners that generate excessive traffic
- Comply with all applicable laws
We consider security research conducted consistent with this policy to be authorized under the Computer Fraud and Abuse Act (CFAA), the DMCA, and other applicable anti-hacking laws. We will not pursue a claim against researchers who comply with this policy.
6. Qualifying Vulnerabilities
The following types of vulnerabilities are of particular interest:
- Authentication or authorization bypasses
- Cross-site scripting (XSS) with demonstrated user impact
- Server-side request forgery (SSRF)
- SQL injection or NoSQL injection
- Remote code execution
- Insecure direct object references (IDOR) exposing user data
- Significant privacy violations (unauthorized access to PII)
- Payment or subscription bypass vulnerabilities
7. Exclusions
The following are generally not considered qualifying vulnerabilities:
- Missing security headers without demonstrated exploit
- Clickjacking on pages without sensitive actions
- CSRF on public pages or logout functionality
- Missing rate limiting on non-critical endpoints
- Outdated software versions without a known exploit chain
- Best practice recommendations without demonstrated vulnerability
- Reports from automated tools without manual verification
8. Rewards
SweepFeed does not currently operate a paid bug bounty program. However, we deeply appreciate the security community's contributions and may offer rewards at our discretion for particularly impactful findings. All validated reporters will receive public acknowledgment (with permission) and our sincere gratitude.
9. Contact
Security reports: support@sweepfeed.com
General inquiries: support@sweepfeed.com
Questions about this policy? Reach out at support@sweepfeed.com