Security Policy

Last updated: February 27, 2026

1. Reporting a Vulnerability

If you discover a security vulnerability in BeyondShoebox, please report it to us at security@beyondshoebox.com. We take all reports seriously and will respond within 72 hours to acknowledge receipt.

2. Coordinated Disclosure

We follow a coordinated disclosure process with a 90-day window. When you report a vulnerability:

• We will acknowledge your report within 72 hours.
• We will investigate and keep you informed of our progress.
• We will work with you to understand the issue and develop a fix.
• We ask that you allow us up to 90 days to resolve the issue before any public disclosure.
• If we need more time, we will discuss an extension with you.

3. Scope

The following are in scope for security research:

• beyondshoebox.com and its subdomains
• The BeyondShoebox web application and API

The following are out of scope:

• Third-party services (Google OAuth, Stripe, MXRoute)
• Denial-of-service attacks
• Social engineering or phishing against our users or staff

4. What We Ask of Researchers

• Do not access, modify, or delete data belonging to other users.
• Do not perform actions that could disrupt the service for other users.
• Do not publicly disclose the vulnerability before we have had a chance to address it.

5. Contact

Send all security-related reports to security@beyondshoebox.com. For non-security issues, please use our regular support channels.