If you discover a security vulnerability in Spotbo, please report it responsibly.

Email: security@spotbo.com

Please do not open a public GitHub issue for security vulnerabilities.

• A description of the vulnerability
• Steps to reproduce (if applicable)
• The potential impact
• Any suggested fixes

• Acknowledgment — within 48 hours
• Initial assessment — within 7 days
• Fix target — within 90 days, depending on severity

The following are in scope:

• Authentication and authorization bypasses
• Cross-site scripting (XSS)
• Server-side request forgery (SSRF)
• Data exposure or leakage
• Injection vulnerabilities (SQL, NoSQL, command)
• Broken access controls
• Cryptographic weaknesses in the messaging system

The following are out of scope:

• Rate limiting or brute force without demonstrated impact
• Vulnerabilities in third-party dependencies (report upstream)
• Social engineering attacks
• Denial of service attacks
• Issues already reported or publicly known
• Automated scanner output without a demonstrated exploit

Direct messages on Spotbo are end-to-end encrypted using the Signal Protocol (X3DH key exchange + Double Ratchet). Messages are encrypted on the sender's device and can only be decrypted by the intended recipient. Spotbo's servers never have access to plaintext message content.

We appreciate responsible disclosure and will credit researchers (with permission) once a fix is deployed.