Responsible Disclosure Policy

Last updated: May 24, 2026

Security research helps us keep Olik Split safe for everyone who uses it to track money with friends. This policy describes how to report a suspected vulnerability, what we consider in and out of scope, the timelines you can expect from us, and the safe-harbor protections we extend to good-faith researchers.

1. Scope

The following systems are in scope:

• oliksplit.app and all subdomains operated by us (including api.oliksplit.app).
• The Olik Split mobile applications for Android and iOS as distributed via Google Play and the App Store.
• The Olik Split desktop and web builds we publish from our domain.

The following are out of scope:

• Third-party sites, services, or applications (Firebase, AdMob, Anthropic, Cloudflare, Google Play, App Store, etc.). Report issues with those providers directly to them.
• Social engineering of our staff, users, or vendors; physical attacks; or attacks against personal accounts of employees.
• Denial-of-service (DoS / DDoS), traffic-flooding, or brute-force attempts. Do not run these against our systems.
• Unfiltered automated scanner output (e.g. Nessus, ZAP, Burp Pro screenshots) with no demonstrated impact.
• Missing best-practice headers (CSP, X-Frame-Options) without a working exploit.
• Theoretical vulnerabilities requiring unlikely user interaction (e.g. man-in-the-middle on a victim's local network) without a working proof of concept.
• Self-XSS, clickjacking on pages without sensitive actions, or issues on pre-release / beta endpoints.

2. How to Report

Send an email to security@oliksplit.app with:

• A clear description of the vulnerability and affected component.
• Step-by-step reproduction instructions (the smaller the PoC, the faster we can validate).
• Your assessment of impact and the attacker prerequisites.
• Any supporting evidence: HTTP requests, screenshots, video. Please redact other users' data.
• The name (or alias) you would like credited if the issue is accepted.

Encrypted submissions are welcome; request our PGP key in your initial message and we will exchange it before you share details.

3. Response SLAs

• Acknowledgement: within 72 hours of receipt.
• Triage decision and status update: within 14 days.
• Fix timeline: depends on severity. Critical issues are typically patched in days; high-severity in weeks; medium and low ride normal release cycles. We will share an ETA once triaged and notify you again when the fix ships.

4. Rules of Engagement

• Do not access, modify, or exfiltrate data that does not belong to you. Use test accounts you create yourself.
• Do not pivot from a discovered vulnerability into systems beyond the one needed to demonstrate the issue.
• Stop and report once you have proof of impact — do not weaponize.
• Give us a reasonable window to fix the issue before any public disclosure. We will coordinate a disclosure date with you.
• Do not publicly disclose details (including screenshots that reveal the bug class) until we have shipped a fix and given you the go-ahead.

5. Safe Harbor

If you make a good-faith effort to comply with this policy during your security research, we will:

• Consider your activity authorized under the Computer Fraud and Abuse Act and equivalent local laws.
• Not pursue or support legal action against you.
• Work with you, not against you, to understand and resolve the issue quickly.

If a third party brings legal action against you for activity we authorized under this policy, we will make it known that your actions were conducted in compliance with our disclosure program.

6. Reward

Olik Split does not currently operate a paid bug bounty. We are a small team and would rather invest those resources into fixing issues quickly. Once we have accepted five or more valid reports under this policy, we will publish a Hall of Fame recognizing each contributing researcher (alias of your choice, with optional link). You may also request a written acknowledgement letter for your CV or portfolio.

7. Questions

If anything in this policy is unclear, reach out at security@oliksplit.app before starting your research and we will help clarify scope.