Responsible Disclosure / Special Thanks

At Splitwise, we’re lucky to have supportive users who help us to find bugs and potential security issues via responsible disclosure. This page contains info on how to contact us if you’ve found a vulnerability, and gives thanks to all the individuals who have reported issues in the past.

Reporting a vulnerability

If you think you’ve found a security issue with Splitwise, we encourage you to report it right away by emailing us at Please include instructions on how to reproduce your issue. We will reply as soon as we are able, usually within 48 hours.

Once we have confirmed your issue, we would be happy to add you to our “special thanks” list below. Let us know if you’d like us to include a link to your Twitter, Facebook, or another URL.

In the event of duplicate reports for the same issue, Splitwise only adds the first person to report the issue to our Responsible Disclosure page.

Third-party systems and non-essential subdomains

Some subdomains of are run via third-party services. If you find an issue with one of these subdomains, you may want to report it directly to the appropriate company, depending on the issue:

In addition, we sometimes use other Splitwise subdomains for projects and tools that are not part of the core Splitwise app. Though we do appreciate security reports for these domains, we may be slower to respond, as issues with these subdomains generally pose less of a security risk.


Special thanks to all those who have helped Splitwise: