Last updated: April 2026
Ping5r takes security seriously. If you believe you have found a vulnerability, we want to hear about it. This page explains how to report and what to expect from us in return.
Email security@ping5r.com with a clear description of the issue, reproduction steps, and any proof of concept. Please do not file public issues, post on social media, or attempt to access other users' data. Encrypted reports are welcome — ask and we will share a PGP key.
Machine-readable contact info is published at /.well-known/security.txt per RFC 9116.
We will not pursue legal action against researchers who act in good faith, meaning you: make a reasonable effort to avoid privacy violations, data destruction, and service disruption; do not exfiltrate more data than needed to demonstrate the issue; do not use social engineering against our staff or contractors; and give us reasonable time to remediate before any public disclosure.
In scope: ping5r.com and its subdomains, and the Ping5r mobile and web clients. Out of scope: third-party services we use (for example Stripe, Supabase, Resend, Sentry, PostHog, Upstash, Cloudflare), social engineering, physical attacks, denial of service, and issues affecting only outdated browsers.
We do not currently run a paid bug bounty. We do publicly credit researchers who report valid issues on a Hall of Fame page (coming soon at /security/hall-of-fame), with your permission.