Security
Last updated: June 2026
Responsible Disclosure
We take the security of our platform and our users' data seriously. If you believe you have found a security vulnerability in iCheck, we encourage you to report it responsibly.
Please email your findings to security@icheck.app. Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested remediation
Our Commitment
- We will acknowledge receipt of your report within 48 hours.
- We will provide an initial assessment within 5 business days.
- We will not take legal action against researchers who report vulnerabilities responsibly and in good faith.
- We will credit researchers (with permission) for valid findings.
Scope
The following are in scope for responsible disclosure:
- icheck.inc (web application)
- iCheck iOS application
- iCheck API endpoints
- Authentication and session management
- Payment processing flows
Out of Scope
- Social engineering or phishing attacks against staff
- Denial of service attacks
- Spam or content abuse (use in-app reporting)
- Third-party services (Stripe, Supabase infrastructure)
Security Practices
- All connections use TLS 1.2+ with HSTS preloading.
- Passwords are hashed using bcrypt with per-user salts (via Supabase Auth).
- Payment data is handled exclusively by Stripe — no card numbers touch our servers.
- Session tokens have short lifetimes with automatic refresh rotation.
- Content Security Policy restricts resource loading to trusted origins.
- All user-generated content is sanitized before rendering.