Security

Security and Responsible Disclosure

How Tripletto protects the service and how security researchers can report vulnerabilities responsibly.

Security practices

Tripletto uses authentication, access controls, provider security features, Firestore rules, limited admin operations, logging, backups, and operational safeguards designed to protect user accounts and trip data.

No system is perfectly secure. Users should protect account credentials, use strong passwords, limit shared links, and contact us quickly if something looks wrong.

Report a vulnerability

Email support@tripletto.app with "Security Report" in the subject. Include a clear description, affected URL or feature, steps to reproduce, potential impact, and any screenshots or logs that do not expose other users' data.

Safe research rules

  • Do not access, alter, delete, exfiltrate, or disclose another user's data.
  • Do not run denial-of-service attacks, spam, social engineering, phishing, malware, or physical attacks.
  • Do not publicly disclose a vulnerability before we have had a reasonable chance to investigate and fix it.
  • Stop testing and contact us if you encounter sensitive data or could disrupt the service.

Our commitment

We will review good-faith reports and use them to improve Tripletto. We do not currently offer a paid bug bounty unless separately agreed in writing.