SpotHero is dedicated to safeguarding the security of the public by protecting their information from unwarranted disclosure. This policy’s purpose is to convey SpotHero’s guidelines for how security researchers submit discovered vulnerabilities to SpotHero and the standards for which discovery activities should be carried out. This policy describes what systems and types of activities are covered under this policy, how to send vulnerability reports, and how long we ask to wait before publicly announcing discovered vulnerabilities. If we determine that you have made a good faith effort to comply with this policy during your security research, and you otherwise comply with any bug bounty program terms, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly.   


  • and its subdomains
  • SpotHero iOS mobile applications as installed from the Apple iOS App Store
  • SpotHero Android mobile applications as installed from the Google Play App Store


You agree to do the following:

  • Report your findings as soon as possible following the discovery of any tangible or potential security issue(s).
  • Provide us with at least 180 days to resolve the issue before you disclose it publicly.
  • Employ every effort to avoid privacy violations, degradation of user experience, interference to production systems, and damage or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
  • Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Out of Bounds

The following types/methods of testing are not authorized:

  • Denial-of-service attacks or issues related to rate limiting
  • Automated testing methods; and
  • Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing.
  • Purely theoretical and best practices issues. E.g., SPF/DMARC. 
  • Bugs requiring exceedingly unlikely user interaction.
  • Spam (including issues related to SPF/DKIM/DMARC)
  • Vulnerabilities discovered shortly after their public release. E.g., zero-day, new CVE. 


We accept vulnerability reports at  Reports may be submitted anonymously; however for us to process any potential payment, we may require certain information.


  • Within three (3) business days, we will acknowledge that your report has been received.
  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including any issues or challenges that may delay resolution.
  • We will maintain an open dialogue to discuss issues.