BuildSwap Security Disclosure Policy
Effective Date: July 11, 2026
Last Updated: July 11, 2026
1. Our Commitment to Security
BuildSwap takes the security of our platform and the privacy of our users seriously. We welcome responsible disclosure of security vulnerabilities. If you believe you have discovered a security issue affecting BuildSwap, we encourage you to report it to us so we can address it promptly.
2. How to Report a Vulnerability
Please submit all security disclosures by email:
Email: legal@buildswap.online
Subject line: `Security Disclosure`
To help us triage and reproduce the issue, please include:
- A clear description of the vulnerability.
- The affected URL, endpoint, or component (if applicable).
- Steps to reproduce the issue.
- The potential impact or severity as you assess it.
- Any proof-of-concept code or screenshots (if relevant).
We will acknowledge receipt of your report within 2 business days and aim to provide an initial assessment within 5 business days.
3. Scope
This policy applies to the BuildSwap platform at https://buildswap.online and any associated subdomains operated by BuildSwap.
4. Out of Scope
The following are outside the scope of this policy:
- Denial of service (DoS/DDoS) attacks.
- Social engineering or phishing attacks targeting BuildSwap staff.
- Physical security issues.
- Vulnerabilities in third-party services or infrastructure not directly controlled by BuildSwap (for example, Supabase, Vercel, or Google services).
- Issues that require unlikely user interaction or physical access to a user's device.
- Issues in browsers, operating systems, or client-side environments outside our control.
If you are unsure whether an issue is in scope, please report it anyway and we will assess it.
5. Our Commitments to You
When you report a security issue in good faith and in accordance with this policy, BuildSwap commits to:
- Acknowledging your report promptly.
- Investigating the issue thoroughly.
- Keeping you informed of our progress where possible.
- Not pursuing legal action against you for good-faith security research conducted in accordance with this policy.
We ask that you:
- Give us a reasonable amount of time to investigate and address the issue before disclosing it publicly.
- Avoid accessing, modifying, or deleting user data beyond what is necessary to demonstrate the vulnerability.
- Not disrupt or degrade the platform for other users.
6. No Bug Bounty
BuildSwap does not currently operate a paid bug bounty program. We do appreciate responsible disclosure and will acknowledge researchers who report valid, in-scope vulnerabilities upon request.
7. Existing Security Measures
BuildSwap implements the following security measures:
- HTTPS for all data in transit.
- Security headers including `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, and `Permissions-Policy`.
- Row-Level Security (RLS) enforced at the database layer via Supabase.
- Authentication managed via Supabase Auth with support for Google OAuth.
- Access controls scoped to authenticated users with role-based route protection.
8. Changes to This Policy
We may update this Security Disclosure Policy from time to time. Changes will be reflected by updating the "Last Updated" date on this page.
9. Contact
Security disclosures: legal@buildswap.online
Related documents:
We appreciate the work of the security research community in helping keep BuildSwap and our users safe.