Responsible Disclosure / Special Thanks

At Splitwise, we’re lucky to have supportive users who help us to find bugs and potential security vulnerabilities via responsible disclosure. If you believe you have discovered a potential issue with our system, we appreciate your help in disclosing the issue to us responsibly. This page contains info on how to report an issue, and gives thanks to all the individuals who have reported issues in the past.

Researchers who submit a valid report to us within the bounds of this policy will be given credit and thanks on this page once the submission has been accepted, remedied, and validated by our security team.

How we approach security reports

  • Splitwise will not take legal action against users for disclosing vulnerabilities as instructed here.
  • Valid vulnerability reports will always be responded to as fast as possible – usually within 2 business days.
  • If we agree that you’ve reported a valid issue with our service, we’ll attribute you with a special thanks on this page after the issue has been remedied. Please let us know if you’d like us to include a link to your Twitter account or other profile.

Guidelines

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

  • Share the security issue with us in detail right away by emailing us at security@splitwise.com.
  • Don’t perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities that are not permitted include: brute forcing, denial of service (DoS), spamming, timing attacks, etc.
  • Don’t use scanners or automated tools to find vulnerabilities.
  • Do not engage in social engineering or phishing of Splitwise users or employees.
  • Please give us a reasonable time to respond to the issue before making any information about it public.
  • Do not access or modify our data or our users’ data. Only interact with your own accounts or test accounts for security research purposes.
  • Do not view, alter, save, store, transfer, or otherwise access to any data obtained incidentally during your research, and immediately purge any local information after reporting the vulnerability to Splitwise.
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).
  • Comply with all applicable laws.

In the event of duplicate reports for the same issue, Splitwise will generally only add the first person to report the issue to our Responsible Disclosure page. 

We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior. We will not negotiate in response to duress or threats (e.g., we do not offer cash rewards and will not negotiate a payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Third-party services

Some subdomains of splitwise.com are run via third-party services. If you find an issue with one of these subdomains, you may want to report it directly to the appropriate company, depending on the issue:

Out-of-scope issues

The following issues are generally considered out-of-scope and not eligible for thanks. We try to respond to every report within 48 hours, but we may be slower to respond to reports about the following:

  • Our policies on presence/absence of SPF/DMARC records.
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
  • Host header injections, unless you can show how they can lead to stealing user data.
  • Attacks requiring physical access to a user’s device.
  • Reports of spam (i.e., any report involving ability to send emails without rate limits).
  • Missing best practices (we require a repeatable proof of concept demonstrating a security vulnerability).
  • Any physical attacks against Splitwise property, offices, or employees.
  • We will only accept critical reports in blog.splitwise.com (e.g., RCE). Minor issues that can’t impact Splitwise users are out of scope. Please report them to the Automattic Program.
  • Clickjacking on domains other than www.splitwise.com or secure.splitwise.com.

Special thanks to all those who have helped Splitwise:

2020

2019

2018

2017

2016

2015

2014

2013