Legal
Security & vulnerability disclosure
Last updated June 3, 2026
01Reporting a vulnerability
If you believe you've found a security vulnerability in Tapgift, please email security@tapgift.app with the details. Please include:
- A clear description of the issue and the impact you believe it has
- Steps to reproduce (please don't pivot beyond what's necessary to demonstrate the issue)
- The URL(s), endpoint(s), or component affected
- Optional: your preferred name for public credit
We'll acknowledge your report within 3 business days, triage and propose a fix within 10 business days, and ship the fix as soon as we've verified the patch.
02Scope
The following are in scope:
tapgift.appand any subdomain (www,claim,api,app)- The Tapgift Shopify embedded app (the merchant admin surfaces under
/app/*) - The Tapgift Checkout UI Extension (the “Send as a gift” toggle that renders in Shopify checkout)
- The recipient claim flow at
/c/<token> - Public APIs at
/api/*and webhook endpoints at/webhooks/*
The following are out of scope:
- Shopify-hosted surfaces (Shopify's checkout, admin, theme runtime). Report those to Shopify's HackerOne program.
- Our sub-processors (Resend, Google, Supabase, Vercel, Cloudflare, Sentry). Each has its own disclosure program.
- Social-engineering or physical attacks against Tapgift staff or infrastructure
- Findings that require an already-compromised account (e.g. “if I have the merchant's Shopify session, I can do X”)
- Best-practice nits without demonstrable impact (e.g. missing non-critical security headers, version disclosure in HTTP responses)
03Safe harbor
We won't pursue legal action or contact law enforcement against you if you:
- Make a good-faith effort to avoid privacy violations, service degradation, and data destruction during testing
- Stop testing and report immediately if you encounter any user data
- Do not exploit the vulnerability beyond the minimum required to confirm its existence
- Give us a reasonable window to remediate before public disclosure
04Bounty
Tapgift does not currently offer a paid bug bounty. We do publish a credit list on this page for valid disclosures, and we'll send a thank-you gift (via Tapgift, naturally) for any high-severity finding.
05Contact
security@tapgift.app for security reports. For PGP-encrypted reports, request our key by email and we'll reply with the fingerprint.
The machine-readable version of this policy is at /.well-known/security.txt (RFC 9116).