TheSHFTApp logo
Menu
HomePricing
SHFTR Resources โŒ„
Free Tools
ATS Resume ScanCareer DirectionWorker DiscoveryCareer RoadmapAnswer VaultResume HelpInterview HelpFlexible Work Guide
Access Pass Tools
Smart Apply๐Ÿ”’ PassResume Builder๐Ÿ”’ PassCover Letter Writer๐Ÿ”’ PassInterview Prep๐Ÿ”’ PassApplication Tracker๐Ÿ”’ PassCareer Tools Dashboard๐Ÿ”’ PassUnlock Access Pass โ†’
Media โŒ„
BlogTutorialsVideos
About
Contact โŒ„
Contact UsBusiness FAQsSHFTR FAQsSupport
Sign InCreate Account
โ† Legal documents

Security

Vulnerability Disclosure Policy

Guidelines for responsibly reporting security vulnerabilities.

Effective: 2026-06-25Updated: 2026-06-25Version 1.0

1. Introduction

TheSHFTApp LLC ("TheSHFTApp") welcomes responsible security research and disclosure. This Vulnerability Disclosure Policy ("VDP") establishes guidelines for how security researchers, users, and third parties may report security vulnerabilities they discover in the Platform, and describes how we will respond.

2. Scope

2.1 In Scope

The following systems are within scope for vulnerability disclosure:

  • theshftapp.com and all subdomains
  • TheSHFTApp web application and Platform
  • TheSHFTApp mobile applications (iOS and Android)
  • TheSHFTApp Browser Extensions
  • TheSHFTApp APIs and developer tools

2.2 Out of Scope

The following are out of scope:

  • Third-party services and infrastructure not directly operated by TheSHFTApp
  • Social engineering attacks against TheSHFTApp employees or users
  • Physical security attacks
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Spam, phishing, or other non-technical attacks
  • Automated scanning results without demonstrated exploitability
  • Theoretical vulnerabilities without practical impact
  • Issues in third-party libraries where no TheSHFTApp-specific exploit path exists

3. Reporting a Vulnerability

3.1 How to Report. Report potential vulnerabilities by email to: security@theshftapp.com

Please include in your report:

  • A clear description of the vulnerability and its potential impact;
  • The affected systems, URLs, or components;
  • Step-by-step reproduction instructions;
  • Any proof-of-concept code, screenshots, or videos;
  • Your contact information for follow-up; and
  • Any suggested remediation, if applicable.

3.2 PGP Encryption. If you need to transmit sensitive details securely, request our PGP public key from security@theshftapp.com before submission.

4. What to Expect from Us

4.1 Acknowledgment. We will acknowledge receipt of your report within five (5) business days.

4.2 Initial Assessment. We will provide an initial assessment of severity and scope within fifteen (15) business days.

4.3 Updates. We will keep you informed of our remediation progress at reasonable intervals.

4.4 Resolution. We will work to remediate confirmed vulnerabilities within a timeframe appropriate to severity:

  • Critical: Immediate priority (within 7 days where possible)
  • High: 30 days
  • Medium: 60 days
  • Low: 90 days

4.5 Coordination. We will coordinate with you on disclosure timing if you intend to publish your findings.

5. Responsible Disclosure Rules

We ask that you:

  • Not access, modify, delete, or exfiltrate user data beyond what is strictly necessary to demonstrate the vulnerability;
  • Not perform actions that could harm the Platform's availability or integrity;
  • Not disclose the vulnerability publicly before we have had a reasonable opportunity to remediate it;
  • Not exploit the vulnerability for personal gain or to harm users; and
  • Comply with all applicable laws.

6. Safe Harbor

TheSHFTApp will not pursue legal action against security researchers who:

  • Act in good faith and in compliance with this Policy;
  • Do not exceed the minimum access necessary to demonstrate the vulnerability;
  • Do not cause harm to users, the Platform, or TheSHFTApp; and
  • Coordinate disclosure as described above.

We consider good-faith vulnerability research to be a valuable contribution to security. This safe harbor does not apply to malicious actors, those who exploit vulnerabilities, or those who violate applicable law.

7. Recognition

TheSHFTApp may maintain a security acknowledgment page recognizing responsible disclosures with reporter consent. We do not currently operate a formal bug bounty program with monetary rewards; this may change in the future.

8. Contact

Security team: security@theshftapp.com

Questions about this document?

Contact legal@theshftapp.com ยท TheSHFTApp LLC ยท 13365 Arbor Pointe Circle, Apt 201, Tampa, FL 33617

All legal documentsContact legal