SleeveFolio
LegalSign inAccount

LEGAL · SECURITY

Security & vulnerability disclosure

SleeveFolio holds sensitive data — encrypted broker API keys and a long trading audit trail — so we take security seriously and we welcome good-faith reports from the security community. If you believe you have found a vulnerability, please tell us before disclosing it anywhere else, and give us a reasonable chance to fix it.

How to report

Email security@sleevefolio.com with enough detail to reproduce the issue: the affected URL or feature, the steps you took, what you observed, and any proof-of-concept. Please do not post the issue publicly, open a GitHub issue, or share it with third parties before it is fixed, so it cannot be exploited in the meantime. SleeveFolio is run by a small team; we read reports sent to this address and will follow up, but we cannot commit to a fixed response time.

Scope

In scope: the SleeveFolio web application and its public marketing and documentation pages. Out of scope: anything that requires you to harm a real user or their account, denial-of-service or volumetric testing, social engineering of our staff or vendors, physical attacks, spam, and findings in third-party services we depend on — your broker (Alpaca), our hosting, payment, email, and data providers — which you should report to those vendors directly. Reports that are only theoretical, or that depend on an already-compromised device or browser, may be acknowledged but not actioned.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your testing authorized, we will not pursue or support legal action against you for it, and we will work with you in good faith to understand and resolve it. Acting in good faith means: stay within the scope above; access only the data needed to demonstrate the issue and never another person’s account or information; do not modify, delete, or retain data that is not yours; do not degrade, disrupt, or test the availability of the service; stop as soon as you have a proof-of-concept; and keep the details confidential until we agree on disclosure. This safe harbor does not authorize violations of law, and it does not extend to actions against third parties.

Recognition

SleeveFolio does not currently run a paid bug-bounty program. We are grateful for responsible disclosure and are happy to credit researchers who report valid issues, with your permission.

This policy may change as the service evolves. The machine-readable contact lives at /.well-known/security.txt.