How to report
Send an email to soporte@tucora.com.ar with the subject "Security Report". Include:
- A description of the vulnerability
- Steps to reproduce it
- Potential impact
- The app version and device where you found it
- Your name or pseudonym (for optional recognition)
We respond within 72 business hours with an acknowledgment of receipt. Estimated resolution depending on severity: 7-30 days.
Commitment (safe harbor)
If you act in good faith and follow this policy, TuCora commits to:
- Not taking legal action against you for the research conducted.
- Working collaboratively to understand and resolve the issue.
- Recognizing you publicly (with your permission) in our Hall of Fame.
Scope (in-scope)
- TuCora mobile app (Android, package
com.matias.cora) - The tucora.com.ar website and subdomains
- The project's Supabase Edge Functions
- The database's tables and RLS policies
Out of scope (out-of-scope)
- Vulnerabilities in third-party providers (Supabase, Google, RevenueCat, Netlify) — report them directly to them
- Denial-of-service attacks (DoS/DDoS)
- Social engineering, phishing against employees or users
- Physical access to devices
- Vulnerabilities on rooted/jailbroken devices
- Lack of "best practices" without demonstrable impact (soft rate limiting, cosmetic headers, etc.)
What we ask
- Do not access other users' data beyond what is necessary to demonstrate the vulnerability.
- Do not degrade the service for third parties.
- Do not disclose the vulnerability before reporting it and allowing a reasonable time to fix it (90 days standard).
- Delete any data you may have accidentally accessed.
Bug bounty program
TuCora currently does not offer monetary rewards for security reports. We do offer:
- Public recognition (Hall of Fame)
- 1 year of free Premium for valid medium- or high-severity reports
- Lifetime Premium for valid critical-severity reports
security.txt
This information is published in the standard RFC 9116 format:
https://tucora.com.ar/.well-known/security.txt
Hall of Fame
We don't have any reports yet. This section will be updated as the security community helps us.