Security & Vulnerability Disclosure

Last updated: June 6, 2026

TrackMyPlace takes the security of our platform and our customers' data seriously. We welcome reports from security researchers who help us keep TrackMyPlace safe. This policy describes how to report a vulnerability, what to expect from us, and what we ask of you.

1. How to Report

Email security@trackmyplace.com with a clear description of the issue, the steps required to reproduce it, the potential impact, and any proof-of-concept material. Please use a single thread per issue so we can track it cleanly.

A machine-readable disclosure record is also published at /.well-known/security.txt in line with RFC 9116.

2. Response SLA

  • Acknowledgement: within 3 business days of receipt.
  • Triage and severity assessment: within 7 business days.
  • Resolution target: critical issues within 30 days, high within 60 days, medium and low on a best-effort basis.
  • Status updates: at least every 14 days until the report is resolved or closed.

3. In Scope

  • The production TrackMyPlace web application at trackmyplace.com.
  • The TrackMyPlace API surface under trackmyplace.com/api.
  • Authentication, authorisation, session management, and tenant isolation issues affecting the platform.
  • Vulnerabilities in our public client portal magic-link and vCard token flows.
  • Issues affecting the confidentiality, integrity, or availability of customer data stored in our platform.

4. Out of Scope

  • Denial-of-service attacks, volumetric testing, or any disruption to production service.
  • Social engineering of TrackMyPlace staff, customers, or vendors; physical attacks; or phishing campaigns.
  • Reports based purely on automated scanner output without a demonstrated impact.
  • Missing security headers, cookie flags, or TLS configuration weaknesses without a proven exploit path.
  • Issues in third-party services we depend on (e.g. Supabase, Vercel, Stripe, Google, Microsoft, Twilio, Resend, Slack) — please report those directly to the relevant vendor.
  • Vulnerabilities that require a rooted, jailbroken, or otherwise already-compromised device.
  • Self-XSS, clickjacking on pages with no sensitive actions, and content spoofing without HTML or script injection.

5. Safe Harbour

If you make a good-faith effort to comply with this policy when researching and reporting a vulnerability, TrackMyPlace will not pursue or support any legal action against you. We consider activity conducted consistent with this policy to be authorised conduct, and we waive any restrictions in our Terms of Service that would otherwise prohibit your testing.

To stay within safe harbour you must:

  • Only test against accounts you own or have explicit written permission to test.
  • Avoid accessing, modifying, or destroying data that does not belong to you. If you encounter customer data, stop immediately and report it.
  • Avoid any action that degrades the service for other customers, such as load testing, brute forcing, or scraping at scale.
  • Comply with all applicable laws, including Australian Privacy Principles and the Privacy Act 1988 (Cth).

If you are unsure whether a specific test is permitted, contact security@trackmyplace.com before proceeding.

6. Coordinated Disclosure

We ask that you give us a reasonable opportunity to investigate and remediate a reported issue before disclosing it publicly. We do not impose a fixed disclosure window, but we ask that you do not publicly share details of an unfixed vulnerability without our written agreement. Once a fix is deployed we are happy to credit reporters who request it.

7. Rewards

TrackMyPlace does not currently run a paid bug bounty program. We recognise meaningful reports publicly (with the reporter's consent) and may, at our discretion, send swag or a thank-you gift for high-impact findings.

8. PGP and Encrypted Submissions

If you would like to submit a report encrypted, email security@trackmyplace.com and we will arrange a secure channel.

9. Contact

All security correspondence should go to security@trackmyplace.com. For general privacy questions, see our Privacy Policy.

Back to sign in