Security & Vulnerability Disclosure Policy
Effective date: 1 June 2026
TabbPay takes the security of our platform and the safety of guest, staff and payment data seriously. We welcome reports from security researchers and will work with you to understand and resolve issues quickly.
How to report
Email security@tabbpay.com with:
- a description of the issue and its potential impact;
- clear, step-by-step instructions to reproduce it (proof-of-concept, affected URL/endpoint, request/response samples);
- your name or handle if you would like to be credited.
Our machine-readable contact details are published at
/.well-known/security.txt (RFC 9116).
Scope
In scope:
tabbpay.com,app.tabbpay.com,staff.tabbpay.com,dashboard.tabbpay.comandapi.tabbpay.com.
Out of scope:
- Denial-of-service (DoS/DDoS), volumetric or brute-force testing.
- Social engineering, phishing, or physical attacks against staff or facilities.
- Findings from automated scanners without a demonstrated, exploitable impact.
- Reports affecting only out-of-date browsers or third-party services we don't control (e.g. the payment processors, Cloudflare, Clerk).
Safe harbour
If you make a good-faith effort to comply with this policy during your research, we will consider your testing authorised, will not pursue or support legal action against you, and will work with you to resolve the issue. Please:
- only test against your own accounts/data or test data you are authorised to use;
- never access, modify, or exfiltrate other users' data, cardholder data, or secrets;
- do not degrade or disrupt our services for real users;
- give us a reasonable opportunity to remediate before any public disclosure.
What to expect
- Acknowledgement of your report within 3 business days.
- An assessment and, where valid, a remediation timeline based on severity.
- Credit for the first reporter of a valid, previously-unknown issue, if you wish.
We do not currently operate a paid bug-bounty programme, but we are grateful for responsible disclosure and are happy to acknowledge contributors.