Create Mappins - Make a map with pins

Create Mappins
← Back to Home

Security

Vulnerability Disclosure Program

Our Commitment

At Create Mappins, we take security seriously. We value the work of security researchers who help keep our users safe. If you discover a security vulnerability, we encourage you to report it responsibly.

We are committed to working with security researchers to verify and address potential vulnerabilities. We will acknowledge your contribution in our Hall of Fame (unless you prefer to remain anonymous).

Scope

In Scope

  • createmappins.com and all subdomains
  • Firebase/Firestore security rules
  • Cloud Storage security rules
  • Authentication and authorization flaws
  • Data exposure vulnerabilities
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL/NoSQL injection
  • Server-side request forgery (SSRF)
  • Insecure direct object references (IDOR)

Out of Scope

  • Denial of Service (DoS/DDoS) attacks
  • Social engineering or phishing
  • Physical security attacks
  • Attacks against our employees or users
  • Spam or rate limiting issues
  • Missing security headers without demonstrated impact
  • Software version disclosure
  • Issues in third-party services we don't control

Rules of Engagement

To ensure a safe and legal testing environment, please follow these guidelines:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform any attacks that could harm the availability of our services
  • Do not use automated scanners that generate excessive traffic
  • Do not publicly disclose the vulnerability before we have addressed it
  • Do provide detailed reproduction steps in your report
  • Do give us reasonable time to investigate and fix the issue (typically 90 days)
  • Do use a test account you control for any testing

How to Report

Please send your vulnerability report to:

hello@hexoradigital.com

Please include the following in your report:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept code or screenshots
  • Your preferred contact method and whether you'd like to be credited

For sensitive reports, you can request our PGP key or suggest an encrypted communication channel.

Hall of Fame

We thank the following security researchers for their responsible disclosures:

Be the first to be recognized for helping secure Create Mappins!

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized, lawful, and helpful. We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, following the guidelines outlined above. We ask that you give us adequate time to address reported issues before making any public disclosure.

← Back to Home