We use cookies on our website to help us provide the best browsing experience. By continuing to use our website you are deemed to have agreed to the use of cookies.
Learn MoreOK

Vulnerability Disclosure Policy

Updated May 08, 2026

Policy

At Cowrywise, the security of our platform and our customers’ financial data is our top priority. We welcome responsible disclosure of security vulnerabilities by the security community.

Scope

This policy applies to:

  • *.cowrywise.com
  • Cowrywise mobile applications (iOS & Android)
  • APIs and services operated by Cowrywise
Out of scope

The following are not in scope:

  • Physical security attacks
  • Social engineering attacks against employees or customers
  • Denial of service (DoS/DDoS) attacks
  • Spam or phishing simulation reports
  • Automated scanner output without demonstrated impact
  • Self-XSS (requires victim to paste code)
  • Missing security headers without clear attack vector
  • Clickjacking on pages with no sensitive actions
  • Attacks requiring physical access to a user's device
  • Rate limiting issues on non-critical endpoints
  • Username/email enumeration via login or forgot password
  • Missing CAPTCHA without demonstrated abuse
  • Content spoofing or text injection without a realistic attack vector
  • Best practice recommendations without exploitable vulnerability
Reporting a vulnerability

If you believe you’ve found a security vulnerability, please report it to: infosec@cowrywise.com

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Affected URLs, endpoints, or components
  • Proof-of-concept code or screenshots (avoid destructive testing)
  • Potential impact of the vulnerability
  • Your preferred contact for follow-up
What to expect
  • Acknowledge receipt within 48 hours
  • Initial assessment within 5 business days
  • Keep you informed of remediation progress
  • Resolve validated issues according to severity
Guidelines for researchers

When conducting security research, please:

  • Make a good faith effort to avoid privacy violations, data destruction, or service disruption
  • Only interact with accounts you own or have explicit permission to test
  • Do not access, modify, or delete other users' data
  • Stop testing and notify us immediately if you accidentally access user data
  • Do not publicly disclose findings until we've had reasonable time to remediate
No bug bounty program

Cowrywise does not currently operate a paid bug bounty program. While we greatly appreciate your help in making our platform more secure, we are unable to offer monetary rewards at this time. We will, however, publicly acknowledge researchers who responsibly disclose validated vulnerabilities (with your permission).

Safe harbor

We will not pursue legal action against individuals who:

  • Comply with this disclosure policy
  • Report vulnerabilities in good faith
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate them

This policy reflects our commitment to working with the security community and is based on coordinated vulnerability disclosure best practices.