Pinvale

Security

Last updated: May 11, 2026

Reporting a vulnerability

If you believe you have found a security issue in Pinvale, please email security@pinvale.com with a description of the issue, steps to reproduce, and (if relevant) any proof-of-concept payload. Please do NOT open a public GitHub issue, post to social media, or share details with third parties before we have had a chance to investigate and fix.

We aim to acknowledge new reports within 3 business days and to provide a substantive update within 10 business days. For time-sensitive issues (active exploitation, customer data exposure, authentication bypass) please put URGENT in the subject line.

Safe harbor

We will not pursue legal action against, or ask law enforcement to investigate, researchers who:

  • Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Only interact with accounts they own, or accounts they have explicit permission from the account holder to test.
  • Stop testing and notify us as soon as they identify a real vulnerability.
  • Do not exfiltrate any customer data beyond the minimum necessary to demonstrate the issue.
  • Give us reasonable time to investigate and remediate before publishing details.

This safe harbor does not waive Pinvale's rights against bad-faith activity (data theft, extortion, attempts to monetize access, disruption of service, social engineering of staff).

In scope

  • app.pinvale.com, the production web application and its API surface.
  • pinvale.com and www.pinvale.com, the marketing site.

Out of scope

  • Findings on third-party services we depend on (report those directly to the vendor: Supabase, Cloudflare, Stripe, Resend, LocationIQ).
  • Self-XSS, social engineering of staff or other Pinvale users, physical attacks, or attacks requiring an attacker already in possession of a victim's device.
  • Rate-limiting bypasses without evidence of real-world impact (e.g., proof of credential stuffing, data extraction at scale).
  • Reports generated solely by automated scanners with no manual verification of impact.
  • Missing security headers, cookie flags, or TLS-config nits on surfaces where they do not lead to demonstrable impact.

Rewards

Pinvale is still small and does not currently run a paid bug bounty program. For valid findings, we offer public credit on this page (with your permission) and our genuine thanks. Once we cross a revenue threshold where a paid program makes sense, we will update this page accordingly.

Researcher acknowledgements

No public reports to acknowledge yet. If you are the first, you will be listed here with your preferred handle and a link if you want one.

Machine-readable contact

Our RFC 9116 disclosure file lives at /.well-known/security.txt.