Security & Vulnerability Disclosure

Effective Date: May 11, 2026

Our commitment

Affiliateo takes security seriously. If you've discovered a vulnerability in our platform, we want to hear about it so we can fix it and protect our merchants, affiliates, and buyers.

This page describes how to report security issues, what's in scope, the rules of engagement, and the safe-harbor terms that apply when you act in good faith. Our machine-readable contact details follow RFC 9116.

How to report

Email support@affiliateo.com with the subject line [Security]. A good report includes:

  • A clear description of the issue and its impact.
  • The exact steps to reproduce it (URLs, payloads, HTTP requests, screenshots, or a short video).
  • The affected component (web app, API endpoint, mobile SDK, etc.) and the environment you tested in.
  • Your name or handle, if you'd like credit in our acknowledgments.

We aim to acknowledge new reports within 3 business days and to provide an initial assessment within 10 business days. Critical issues are triaged immediately.

In scope

  • affiliateo.com and all subdomains we operate
  • Our public API endpoints under /api/
  • Our official SDKs (@affiliateo/web, @affiliateo/react-native, Swift, Kotlin, Flutter, and the hosted m.js / t.js / shopify-affiliate.js scripts)
  • Authentication, payment, and webhook flows we operate

We're especially interested in: authentication bypasses, broken access control, server-side request forgery, SQL injection, stored XSS, payment/wallet manipulation, privilege escalation, and any flaw that lets one user act as another or read data they shouldn't.

Out of scope

The following are not in scope and reports about them will be closed:

  • Third-party services we depend on (Stripe, Supabase, Cloudflare, AWS, RevenueCat, Polar, Paddle, Whop, Shopify, WooCommerce). Report those directly to the vendor.
  • Automated scanner output without a working proof-of-concept. We've hardened our app with strict CSP, nonce-based script execution, and HTML-safe JSON serialization — reflected-input findings without a demonstrated exploit aren't vulnerabilities.
  • Missing security headers on endpoints that don't serve sensitive content.
  • Self-XSS, clickjacking on non-authenticated pages, content spoofing with no impact, social engineering, physical attacks.
  • Denial-of-service, brute-force, or rate-limit volume tests.
  • Issues that require an already-compromised account or root-level device access.
  • Theoretical issues with no demonstrated impact (e.g., reports based on version-disclosure of OSS libraries with no exploit path).
  • Reports generated by AI without verification.

Rules of engagement

When testing, please:

  • Use a test account you control. Don't access or modify other users' data.
  • Stop as soon as you confirm the vulnerability. Don't exfiltrate data, escalate access, or pivot once you've proven the issue.
  • Don't run automated scanners against production. They generate noise and rarely surface real issues. Manual testing is welcome.
  • Don't degrade service. No DDoS, traffic flooding, or brute-force.
  • Don't test physical security or social-engineer staff.
  • Keep the issue confidential until we've had a reasonable opportunity to fix it. We aim for a fix or mitigation within 90 days; coordinated public disclosure after that is fine.

Safe harbor

Security research conducted in good faith, in line with this policy, is authorized. We will not:

  • Pursue legal action (civil or under the Computer Fraud and Abuse Act, DMCA, or equivalent laws) against you for activities that follow this policy.
  • Report you to law enforcement.

If a third party initiates legal action against you for activity we authorized, we'll make it known that your actions were authorized. This safe harbor doesn't extend to actions that violate the rules of engagement above, that disrupt other users, or that affect third-party systems we don't operate.

Recognition

Affiliateo doesn't currently operate a paid bug-bounty program. We deeply appreciate responsible disclosure and will credit researchers (with permission) for valid reports. If you'd like to be acknowledged, let us know in your report.

Contact

Security reports: support@affiliateo.com
Machine-readable contact: /.well-known/security.txt