← Back to SoloTrade

Security & responsible disclosure

Last updated 2026-05-05

Reporting a vulnerability

Email security@solotrade.com.au (or support@solotrade.com.au as a non-urgent backup). Include enough detail for us to reproduce the issue. We aim to acknowledge within 2 business days and resolve critical issues within 14 days.

Machine-readable contact info: /.well-known/security.txt (RFC 9116).

What's in scope

• Authentication and authorisation flaws on the SoloTrade app, our Supabase project, and our Edge Functions
• Data exposure (PII, business records, receipt photos, OCR output)
• Privilege escalation
• Injection vulnerabilities
• Cryptography misuse - we use AES-256-GCM for receipt photo encryption with per-user DEKs in Supabase Vault
• Issues in our open-source build process (signing, dependency lock files)

What's out of scope

• Vulnerabilities in our sub-processors - please report those directly to the vendor.
• Social-engineering attacks against the operator
• Theoretical issues without a working proof of concept
• Reports based purely on missing security headers (we welcome them, but they don't qualify as a vulnerability)

How we protect your data

• In transit: TLS 1.2+ on all connections, with HSTS on solotrade.com.au and our Supabase endpoints.
• At rest: AES-256 encryption on our managed Postgres database.
• Receipt photos: encrypted with a per-user key. In Synced mode the key lives in a managed secrets vault and the photo is decrypted only server-side, in memory, for the OCR call; in Private mode the photo is encrypted on your device and never reaches our servers.
• Secrets: OAuth refresh tokens (Drive, Gmail) and per-user encryption keys are held in a managed vault, never returned to the client, and only readable by our server-side functions.
• Access control: Row Level Security on every user-data table; elevated database access is used only inside server-side functions and never reaches the client.
• On device: auth tokens stored in OS-level secure storage (iOS Keychain / Android Keystore).
• Account protection: sign-up rejects passwords known to be breached, and app-integrity attestation is required for sensitive server-side functions in production.
• Crash reporting: personal data (email, auth tokens, request bodies, cookies) is stripped before any crash report leaves the device.
• Abuse protection: per-user rate limiting on server-side functions that process untrusted input.

What we offer in return

SoloTrade is a small operation; we don't run a paid bounty program in v1. What we can offer is a fast, technical response, public acknowledgment (with your consent), and a personal thank-you. If your report leads to a paid product subscription extension, we'll happily comp it.

Acknowledgments

Reporters who choose to be named will appear here. (empty - be the first!)

SoloTrade is operated by SoloTradeOS, ABN 75 640 151 073.