Vulnerability Disclosure Policy

Last updated: 2026-06-14

We welcome responsible disclosure from security researchers. If you believe you have found a security vulnerability in our service, please report it to us privately so we can investigate and remediate before any public disclosure.

In scope

• happyface.io and its subdomains operated by us
• payitforward-3-0.web.app (Firebase Hosting)

Out of scope

• Third-party services we depend on (Firebase, Google Cloud Platform, Expo, etc.) — please report those directly to the vendor
• Denial-of-service attacks, volumetric testing, and social engineering of staff or users
• Findings from automated scanners without a demonstrated impact

How to report

Email security@happyface.io with a clear description, reproduction steps, and any proof-of-concept material. PGP is not required.

Our commitment

• We aim to acknowledge new reports within 5 business days.
• We will not pursue legal action against researchers acting in good faith and within this policy.
• With your permission, we are happy to credit you once a fix has shipped.

Bug bounty

We do not operate a paid bug bounty program. Reports are accepted on a goodwill basis only.