Security | LifeTravel

Back to Home

Security

Responsible disclosure policy · Last updated April 25, 2026

Our Security Practices

We take security seriously. Here is a summary of the measures we have in place:

Encryption in transit

All traffic is encrypted with TLS 1.2+.

Encryption at rest

Firestore data and Storage files are encrypted at rest by Google.

Firebase Security Rules

Strict per-user access rules; no user can read another's private data.

Hashed passwords

Passwords are hashed by Firebase Authentication — we never store plaintext passwords.

Secure payment handling

Card data goes directly to Stripe (PCI-DSS Level 1). We never see full card numbers.

Error monitoring

Sentry captures errors in real-time so we can respond to issues quickly.

reCAPTCHA v3

Bot and spam protection on auth and form endpoints.

Content Security Policy

Strict CSP headers limit script and resource origins on every page.

Responsible Disclosure Policy

We welcome security researchers who help keep LifeTravel and our users safe. If you discover a vulnerability, please follow coordinated disclosure: report it to us privately before publishing or disclosing it to any third party.

How to report a vulnerability

Send an email to [email protected] (also forwards to [email protected]) with:

A description of the vulnerability and its potential impact
Steps to reproduce (proof of concept if possible)
The affected URL, endpoint, or feature
Your contact details (optional, if you want acknowledgement)

What We Ask of Researchers

Give us reasonable time to investigate and fix the issue before any public disclosure.
Do not access, modify, or delete data belonging to real users during testing.
Do not conduct denial-of-service attacks or automated scanning that impacts service availability.
Do not social-engineer or phish our users or staff.
Do not use vulnerabilities for personal gain or to damage LifeTravel.

Response Timeline

Initial acknowledgement

Within 48 hoursCommitted

Triage and severity assessment

Within 5 business daysTarget

Fix or mitigation plan

Within 30 days for critical issuesTarget

Public disclosure (coordinated)

After fix is deployedPolicy

Scope

In scope:

lifetravel.app and all subdomains
LifeTravel mobile applications
LifeTravel API endpoints

Out of scope:

Third-party services (Firebase, Stripe, Google Maps) — report directly to them
Social engineering attacks against staff
Physical security
Denial of service attacks

Recognition

We do not currently offer monetary bug bounties, but we genuinely appreciate security researchers who help us. With your permission, we will acknowledge your contribution in our security hall of fame and/or release notes. Let us know in your report if you'd like to be credited.

For non-security enquiries, contact [email protected]. This policy is governed by the laws of The Netherlands.