Security and Vulnerability Disclosure

Scope

The following assets are in scope for security reports:

• nearbyspy.com and all NearbySpy-owned subdomains
• Public, investigator, client, and admin API routes under /api/
• Investigator, client, and admin dashboards under /dashboard/ and /admin/
• Mobile-responsive views of the above surfaces
• Supabase, R2 storage, and Authorize.Net integration points where they touch NearbySpy-controlled code paths

In-Scope Vulnerabilities

We are particularly interested in reports covering, but not limited to:

• SQL injection and other injection vulnerabilities
• Cross-site scripting (XSS) — stored, reflected, or DOM-based
• Cross-site request forgery (CSRF) on state-changing endpoints
• Authentication bypass or session-handling flaws
• Authorization bypass, including role-based access control (RBAC) escapes
• Sensitive data exposure (case files, evidence, PII, payment data, or audit logs)
• Evidence integrity tampering or chain-of-custody manipulation in DocuVault
• Audit log manipulation or removal
• Server-side request forgery (SSRF), remote code execution, or path traversal
• Insecure direct object references (IDOR) across cases, operations, or reports

Out of Scope

The following are not eligible for disclosure-policy protections:

• Social engineering of NearbySpy staff, investigators, clients, or contractors
• Physical security attacks against offices or staff
• Denial-of-service (DoS / DDoS) attacks or volumetric scanning
• Spam, phishing, or content-policy abuse reports
• Purely cosmetic UI/UX bugs without a security impact
• Missing security headers, cookie attributes, or TLS configuration findings without a demonstrated exploit
• Vulnerabilities in third-party services we integrate with — report to the vendor
• Automated scanner output without manual validation or a working proof-of-concept

Reporting Channel

Please email security@nearbyspy.com with a detailed report including:

• A clear description of the vulnerability and its impact
• Step-by-step reproduction instructions
• Proof-of-concept code, screenshots, or recordings
• The affected URL, endpoint, or component
• Your name or handle for credit (optional)

PGP encryption is available upon request — reply to our acknowledgement email and we will share a public key for ongoing communication.

Response SLAs

When you report a vulnerability in good faith, you can expect:

• Acknowledgement within 48 hours of receipt during business days
• Initial triage and assessment within 5 business days, including severity classification
• Remediation timelines tied to severity:
  • Critical: patched within 7 days
  • High: patched within 30 days
  • Medium: patched within 90 days
  • Low: patched on a best-effort basis
• Status updates while the issue is being investigated and remediated
• Coordinated public disclosure once a fix is shipped, with credit if desired

Safe Harbor

NearbySpy will not pursue legal action against security researchers who:

• Act in good faith and follow this disclosure policy
• Stay within the in-scope assets and avoid out-of-scope activities
• Make a good-faith effort to avoid privacy violations, service degradation, and destruction or modification of data
• Do not exfiltrate data beyond the minimum required to demonstrate the vulnerability, and securely delete any data obtained during testing
• Give us a reasonable opportunity to investigate and remediate before any public disclosure

Good-faith testing within scope is permitted. If you are unsure whether a particular technique is in scope, contact us first at security@nearbyspy.com before testing.

Hall of Fame

We publicly thank security researchers who have responsibly disclosed valid vulnerabilities to NearbySpy. This list is updated as reports are remediated and researchers consent to credit.

No published acknowledgements yet — be the first.