Responsible Disclosure / Special Thanks

At Splitwise, we’re lucky to have supportive users who help us to find bugs and potential security issues via responsible disclosure. This page contains info on how to contact us if you’ve found a vulnerability, and gives thanks to all the individuals who have reported issues in the past.

Reporting a vulnerability

If you think you’ve found a security issue with Splitwise, we encourage you to report it right away by emailing us at security@splitwise.com. Please include instructions on how to reproduce your issue. We will reply as soon as we are able, usually within 48 hours.

Once we have confirmed your issue, we would be happy to add you to our “special thanks” list below. Let us know if you’d like us to include a link to your Twitter, Facebook, or another URL.

In the event of duplicate reports for the same issue, Splitwise only adds the first person to report the issue to our Responsible Disclosure page.

Third-party systems and non-essential subdomains

Some subdomains of splitwise.com are run via third-party services. If you find an issue with one of these subdomains, you should report it directly to the appropriate company:

In addition, we sometimes use other Splitwise subdomains for projects and tools that are not part of the core Splitwise app. Though we do appreciate security reports for these domains, we may be slower to respond, as issues with these subdomains generally do not pose any security risk.

  • average-rent.splitwise.com
  • api-example.splitwise.com
  • plates.splitwise.com

Special thanks to all those who have helped Splitwise: