Security

Scope

In scope: anything served from www.rewardztravel.com and our public APIs (/api/*).

Out of scope:

• Third-party providers (Vercel, Supabase, Stripe, Anthropic, Google) — please report to them directly.
• Reports requiring physical access to a user's device.
• Social engineering or phishing of staff.
• Denial of service, traffic flooding, or rate-limit testing.
• Issues only reproducible on outdated browsers (more than two major versions behind).
• Missing security headers without a demonstrated impact.

Safe harbor

We won't pursue legal action against good-faith researchers who:

• Make a reasonable effort to avoid privacy violations and service disruption.
• Use only test accounts you own. Do not access, modify, or delete other users' data.
• Give us a reasonable window (at least 90 days, or until we deploy a fix) before public disclosure.

What we do

• HTTPS everywhere (TLS 1.2+ via Vercel).
• Authentication via Supabase Auth with optional MFA.
• Postgres row-level security (RLS) enforces user-data isolation.
• Stripe Checkout handles all payment cards — we never see or store card numbers.
• OAuth refresh tokens are encrypted at rest. Service-role secrets are server-side only.
• Daily database backups via Supabase, with quarterly restore verification.
• Rate limits on every public POST endpoint.
• Dependabot scans for vulnerable dependencies.