Security · vulnerability disclosure

Find a hole? Tell us first.

If you've discovered a security vulnerability in Gish, we want to hear about it before it hits the public — and we'll thank you publicly when it's fixed.

Report it here

Encrypted email preferred. Plaintext is fine for low-severity reports.

security@gishme.com

PGP key: 0xA1B2 C3D4 E5F6 7890 · fingerprint at /security/key.asc

What we promise

If you act in good faith — no public disclosure before we patch, no data exfiltration beyond proof-of-concept, no service disruption — we will:

Acknowledge your report within 24 hours
Provide a triage decision within 72 hours
Patch critical issues within 14 days, lower severity within 90
Credit you on our acknowledgements page (or keep you anonymous if you prefer)
Offer a bounty for valid reports — see severity tiers below
Not pursue legal action against you for good-faith research

What's in scope

In scope

gishme.com (web)
app.gishme.com (dashboard)
api.gishme.com (REST + GraphQL)
Browser extensions (Chrome / Safari / Firefox)
iOS + Android apps
Authentication / session handling
Payment + outcome-fund routing
Privacy / data isolation issues

Out of scope

Third-party services we integrate (Stripe, Plaid, etc.)
Social engineering of staff
Physical attacks on offices
DDoS / volumetric attacks
Self-XSS
Rate-limit findings without impact
Outdated browser / OS issues
SPF / DKIM / DMARC reports for non-customer domains

Severity tiers & bounties

Critical

Account takeover · payment manipulation · full data exfiltration · RCE

$5–25k

High

Privilege escalation · IDOR exposing other users' data · auth bypass on sensitive endpoints

$1–5k

Medium

XSS (stored) · CSRF on sensitive actions · session fixation · unauthorized email change

$250–1k

Low

Reflected XSS · open redirect · clickjacking · info disclosure with limited impact

$50–250

Safe harbor

Activities conducted in compliance with this policy are authorized under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and equivalent state and international laws. We will not pursue civil action or criminal complaints against researchers acting in good faith. If a third party initiates legal action against you for activity that complies with this policy, we will make our authorization known.

Process

Email security@gishme.com with a clear writeup, reproduction steps, and impact assessment.
We acknowledge within 24h and give you a tracking ID.
Our team triages and assigns a severity tier within 72h.
We fix on the timeline above and notify you when patched.
We pay the bounty via your preferred method (Stripe, wire, gift cards to a 501(c)(3)).
We add you to the thanks page with your preferred credit.

One more thing.

Gish handles real money for real people. Outcome funds route to verified payees — surgery co-pays, tuition, rent, weddings. If you find something that could compromise a payee verification, get money to the wrong account, or expose a recipient's identity — we treat that as critical and we'd rather pay you generously than read about it on Hacker News.

Email security@gishme.com

Last updated: Apr 26, 2026 · v2.1 · This policy is published as /.well-known/security.txt per RFC 9116. The canonical version lives at gishme.com/security/policy.