Responsible Disclosure Program
For security researchers who've found a vulnerability in Share The Aloha.
Share The Aloha is committed to ensuring the security of our service and our users' information. We encourage security researchers to contact us to report any potential weaknesses identified in our product, system, or any asset belonging to Share The Aloha.
This program is not a public bug-bounty program. We make no offers of reward or compensation for submitting potential issues. We genuinely appreciate your commitment to improving the security of our service and we will acknowledge your contribution publicly (with your permission) where appropriate.
Guidelines
Security researchers will disclose potential weaknesses in compliance with the following guidelines.
Please DO
- โShare the security issue with us privately before disclosing it publicly (e.g., on message boards, mailing lists, blogs, or social media).
- โWait until we have confirmed the vulnerability has been resolved before disclosing it to third parties. Some vulnerabilities take longer to address than others.
- โProvide a clear, concise description of the steps needed to reproduce the vulnerability.
- โProvide proof-of-concept URLs, screenshots, or relevant logs, along with the details of the system(s) where tests were conducted.
- โUse only your own test accounts created specifically for security research. Do not interact with other users' accounts or data.
Please DON'T
- โCause harm to Share The Aloha, our users, partners, infrastructure providers, or employees.
- โEngage in any act that may cause an outage or interrupt our service.
- โEngage in illegal activities or any acts that violate international, federal, state, or local laws or regulations.
- โStore, share, compromise, or destroy any data belonging to Share The Aloha or our users while conducting research. If you encounter personally identifiable information (PII), stop and notify us immediately.
- โConduct social-engineering attempts against our staff, partners, or users.
- โConduct denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks of any form.
- โPerform physical-security testing of any of our offices, facilities, or those of our infrastructure providers.
- โConduct fraudulent activity or complete fraudulent financial transactions (real or test) as part of your research.
Out-of-scope issues
The following are explicitly outside the scope of this program. We may decline to investigate reports limited to these categories.
- ยทPhishing or other social-engineering attacks against our users or staff.
- ยทPhysical-security testing of our offices or our providers' facilities.
- ยทDenial-of-service (DoS) attacks of any form, including volumetric, application-layer, or protocol-based.
- ยทVulnerabilities affecting only outdated browsers or operating systems.
- ยทSelf-XSS or attacks requiring full social-engineering of a victim.
- ยทMissing security headers without a demonstrated impact.
- ยทReports based on automated scanner output without manual verification.
How to submit a report
Send your report to security@sharethealoha.com.
Please include:
- โA clear summary of the vulnerability.
- โThe URL or feature affected.
- โStep-by-step instructions to reproduce.
- โScreenshots, proof-of-concept code, or logs as applicable.
- โYour contact information so we can follow up.
We aim to acknowledge receipt within 5 business days and to provide an initial assessment within 14 business days. For high-severity issues we will respond as quickly as we can.
Safe harbor
We will not pursue legal action against security researchers who:
- โMake a good-faith effort to comply with the guidelines on this page.
- โReport vulnerabilities promptly and only to us before any public disclosure.
- โRefrain from privacy violations, destruction of data, and interruption or degradation of our service during research.
- โAvoid violating any other applicable law or regulation.
Share The Aloha reserves its legal rights in the event of non-compliance with these guidelines. If in doubt about whether a planned test crosses a line, contact us first at security@sharethealoha.com and we'll work with you.
Recognition
With your permission, we'll acknowledge researchers who responsibly disclose verified vulnerabilities on a thank-you page once we've built it. We will never publish your information without your consent.
If you have a different concern
- โAbusive content or harassment: report@sharethealoha.com
- โPrivacy-rights requests (access, deletion, correction): support@sharethealoha.com
- โAccount or billing issues: support@sharethealoha.com
- โCopyright takedown (DMCA): dmca@sharethealoha.com
Last updated: May 30, 2026. We will update this page as the program evolves.