Responsible disclosure

Security at Pikly

Pikly is built as a privacy-first inventory app. If you believe you have found a vulnerability, please report it responsibly so we can review, fix, and protect users.

Email security report View guidelines

Report a vulnerability

If you believe you have found a security issue in Pikly, contact us before sharing it publicly.

Security contact contact@pikly.pro
Send report

What to include

The clearer your report is, the faster we can validate and fix the issue.

  • ✓A clear description of the issue and the potential impact.
  • ✓Step-by-step instructions to reproduce the issue.
  • ✓The affected page, app version, operating system, browser, device, or feature.
  • ✓Screenshots, screen recordings, logs, or proof of concept when useful.
  • ✓Any conditions required to trigger the issue, such as permissions, device settings, or subscription state.

Please do not

Testing must be respectful, limited, and avoid harm to Pikly, users, or infrastructure.

  • ×Access, modify, delete, copy, or expose another user’s data.
  • ×Perform denial-of-service, stress, spam, rate-limit, or resource-exhaustion testing.
  • ×Use social engineering, phishing, physical attacks, or attempts against Pikly employees, users, or providers.
  • ×Install malware, persist access, bypass payment systems, or disrupt subscriptions.
  • ×Publicly disclose the issue before we have reviewed it and had a reasonable opportunity to address it.

Testing scope

Focus on Pikly-owned surfaces and features you are authorized to use.

Usually in scope

Pikly public website pages, Pikly mobile app features, barcode scan flow, local inventory features, CSV export behavior, and subscription access logic.

Usually out of scope

Third-party platforms such as Apple, Google, payment providers, hosting providers, email providers, and issues requiring harmful or high-volume testing.

Our review process

We aim to handle reports carefully and proportionately based on severity and reproducibility.

1

Receive

We review your report and may ask for additional details if needed.

2

Validate

We attempt to reproduce the issue, assess risk, and prioritize remediation.

3

Fix

We work on a correction, mitigation, configuration change, or user-facing update where appropriate.

4

Coordinate

We ask that you coordinate any disclosure with us so users are protected first.

Good-faith research

We value responsible security research that follows these guidelines.

If you act in good faith, avoid privacy violations, avoid service disruption, and give us a reasonable opportunity to fix the issue before disclosure, we will not intentionally pursue legal action against you for the research itself. This does not authorize illegal activity, access to third-party systems, extortion, threats, data exfiltration, or actions that harm users or infrastructure.

Pikly does not currently operate a paid bug bounty program. Submission of a report does not guarantee compensation, credit, or public recognition.

Contact

For security reports, use contact@pikly.pro. For privacy questions, review the Privacy Policy or contact us through the same address.

Suggested email subject

Security Report for Pikly