Legal

Security & vulnerability disclosure

Last updated June 3, 2026

01Reporting a vulnerability

If you believe you've found a security vulnerability in Tapgift, please email security@tapgift.app with the details. Please include:

  • A clear description of the issue and the impact you believe it has
  • Steps to reproduce (please don't pivot beyond what's necessary to demonstrate the issue)
  • The URL(s), endpoint(s), or component affected
  • Optional: your preferred name for public credit

We'll acknowledge your report within 3 business days, triage and propose a fix within 10 business days, and ship the fix as soon as we've verified the patch.

02Scope

The following are in scope:

  • tapgift.app and any subdomain (www, claim, api, app)
  • The Tapgift Shopify embedded app (the merchant admin surfaces under /app/*)
  • The Tapgift Checkout UI Extension (the “Send as a gift” toggle that renders in Shopify checkout)
  • The recipient claim flow at /c/<token>
  • Public APIs at /api/* and webhook endpoints at /webhooks/*

The following are out of scope:

  • Shopify-hosted surfaces (Shopify's checkout, admin, theme runtime). Report those to Shopify's HackerOne program.
  • Our sub-processors (Resend, Google, Supabase, Vercel, Cloudflare, Sentry). Each has its own disclosure program.
  • Social-engineering or physical attacks against Tapgift staff or infrastructure
  • Findings that require an already-compromised account (e.g. “if I have the merchant's Shopify session, I can do X”)
  • Best-practice nits without demonstrable impact (e.g. missing non-critical security headers, version disclosure in HTTP responses)

03Safe harbor

We won't pursue legal action or contact law enforcement against you if you:

  • Make a good-faith effort to avoid privacy violations, service degradation, and data destruction during testing
  • Stop testing and report immediately if you encounter any user data
  • Do not exploit the vulnerability beyond the minimum required to confirm its existence
  • Give us a reasonable window to remediate before public disclosure

04Bounty

Tapgift does not currently offer a paid bug bounty. We do publish a credit list on this page for valid disclosures, and we'll send a thank-you gift (via Tapgift, naturally) for any high-severity finding.

05Contact

security@tapgift.app for security reports. For PGP-encrypted reports, request our key by email and we'll reply with the fingerprint.

The machine-readable version of this policy is at /.well-known/security.txt (RFC 9116).