Skip to content
Safe Trip
Get Pro
Security · VDP
Effective 7 May 2026

Security

Safe Trip welcomes coordinated disclosure of security issues from the research community. This page describes how to report a vulnerability, what is in scope, and what you can expect from us.

Reporting a vulnerability

Email [email protected]. PGP not required for an initial report; we’ll provide a key for sensitive follow-up if needed. The same address is published in our machine-readable file at /.well-known/security.txt.

Please include:

  • A clear description of the issue and its impact
  • Steps to reproduce, or a proof-of-concept
  • The affected URL(s) or component(s)
  • Whether the issue has been disclosed elsewhere

What is in scope

  • safetripindex.com and any sub-domain we operate
  • The Safe Trip Next.js application code in github.com/mouamaro/safetrip
  • The Safe Trip Score algorithm, where a flaw enables data manipulation or unauthorised access

What is out of scope

  • Physical attacks, social engineering of staff, or DoS / volumetric testing
  • Third-party services we depend on (report those directly to the vendor, e.g., Cloudflare, Railway, GitHub)
  • Best-practice findings without demonstrable impact (e.g., missing security headers on cosmetic endpoints)
  • Issues that require a compromised end-user device or rooted browser
  • Automated-scanner output without a working exploit

Our commitments

  • Acknowledge within 2 business days
  • Triage within 5 business days, with a target resolution timeline
  • Coordinated disclosure: we ask for up to 90 days from acknowledgement before public disclosure; we’ll work with you on timing if a longer window is genuinely needed
  • Credit on a hall-of-fame page for valid reports, when you want it
  • Safe harbour: we will not pursue legal action against good-faith research that respects this policy and avoids harm to users or data

Bounty

We do not yet run a paid bounty programme. Until we do, valid reports earn public acknowledgement and Safe Trip Pro credit. A formal bounty programme is planned for Phase 3 (per the product blueprint) on either HackerOne or Intigriti.

Other contact